[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
EMAIL PRIVACY ACT
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
ON
H.R. 699
__________
DECEMBER 1, 2015
__________
Serial No. 114-53
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://judiciary.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
97-726 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
BOB GOODLATTE, Virginia, Chairman
F. JAMES SENSENBRENNER, Jr., JOHN CONYERS, Jr., Michigan
Wisconsin JERROLD NADLER, New York
LAMAR S. SMITH, Texas ZOE LOFGREN, California
STEVE CHABOT, Ohio SHEILA JACKSON LEE, Texas
DARRELL E. ISSA, California STEVE COHEN, Tennessee
J. RANDY FORBES, Virginia HENRY C. ``HANK'' JOHNSON, Jr.,
STEVE KING, Iowa Georgia
TRENT FRANKS, Arizona PEDRO R. PIERLUISI, Puerto Rico
LOUIE GOHMERT, Texas JUDY CHU, California
JIM JORDAN, Ohio TED DEUTCH, Florida
TED POE, Texas LUIS V. GUTIERREZ, Illinois
JASON CHAFFETZ, Utah KAREN BASS, California
TOM MARINO, Pennsylvania CEDRIC RICHMOND, Louisiana
TREY GOWDY, South Carolina SUZAN DelBENE, Washington
RAUL LABRADOR, Idaho HAKEEM JEFFRIES, New York
BLAKE FARENTHOLD, Texas DAVID N. CICILLINE, Rhode Island
DOUG COLLINS, Georgia SCOTT PETERS, California
RON DeSANTIS, Florida
MIMI WALTERS, California
KEN BUCK, Colorado
JOHN RATCLIFFE, Texas
DAVE TROTT, Michigan
MIKE BISHOP, Michigan
Shelley Husband, Chief of Staff & General Counsel
Perry Apelbaum, Minority Staff Director & Chief Counsel
C O N T E N T S
----------
DECEMBER 1, 2015
Page
THE BILL
H.R. 699, the ``Email Privacy Act''.............................. 2
OPENING STATEMENTS
The Honorable Bob Goodlatte, a Representative in Congress from
the State of Virginia, and Chairman, Committee on the Judiciary 1
The Honorable John Conyers, Jr., a Representative in Congress
from the State of Michigan, and Ranking Member, Committee on
the Judiciary.................................................. 20
WITNESSES
Andrew Ceresney, Director, Division of Enforcement, United States
Securities and Exchange Commission
Oral Testimony................................................. 23
Prepared Statement............................................. 25
Steven H. Cook, President, National Association of Assistant
United States Attorneys
Oral Testimony................................................. 31
Prepared Statement............................................. 33
Richard Littlehale, Assistant Special Agent in Charge, Tennessee
Bureau of Investigation
Oral Testimony................................................. 47
Prepared Statement............................................. 49
Chris Calabrese, Vice President, Policy, Center for Democracy and
Technology
Oral Testimony................................................. 58
Prepared Statement............................................. 60
Richard Salgado, Director, Law Enforcement and Information
Security, Google Inc.
Oral Testimony................................................. 75
Prepared Statement............................................. 77
Paul Rosenzweig, Visiting Fellow, The Heritage Foundation,
Founder, Red Branch Consulting
Oral Testimony................................................. 89
Prepared Statement............................................. 91
LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING
Prepared Statement of the Honorable Jared Polis, a Representative
in Congress from the State of Colorado, submitted by the
Honorable John Conyers, Jr., a Representative in Congress from
the State of Michigan, and Ranking Member, Committee on the
Judiciary...................................................... 102
APPENDIX
Material Submitted for the Hearing Record
Prepared Statement of the Honorable Doug Collins, a
Representative in Congress from the State of Georgia, and
Member, Committee on the Judiciary............................. 129
Prepared Statement of the Honorable Sheila Jackson Lee, a
Representative in Congress from the State of Texas, and Member,
Committee on the Judiciary..................................... 131
Prepared Statement of the Honorable Kevin Yoder, a Representative
in Congress from the State of Kansas........................... 133
Letter from the Honorable Brad R. Wenstrup, a Representative in
Congress from the State of Ohio..........................136
deg.OFFICIAL HEARING RECORD
Unprinted Material Submitted for the Hearing Record
Material submitted by the Honorable Bob Goodlatte, a Representative in
Congress from the State of Virginia, and Chairman, Committee on the
Judiciary. This material is available at the Committee and can also
be accessed at:
http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104232.
EMAIL PRIVACY ACT
----------
TUESDAY, DECEMBER 1, 2015
House of Representatives
Committee on the Judiciary
Washington, DC.
The Committee met, pursuant to call, at 10:12 a.m., in room
2141, Rayburn House Office Building, the Honorable Bob
Goodlatte (Chairman of the Committee) presiding.
Present: Representatives Goodlatte, Sensenbrenner, Chabot,
Issa, King, Gohmert, Jordan, Poe, Chaffetz, Marino, Gowdy,
Collins, DeSantis, Walters, Buck, Ratcliffe, Trott, Bishop,
Conyers, Nadler, Lofgren, Jackson Lee, Johnson, Chu, DelBene,
Jeffries, and Cicilline.
Staff Present: (Majority) Shelley Husband, Chief of Staff &
General Counsel; Branden Ritchie, Deputy Staff Director & Chief
Counsel; Allison Halataei, Parliamentarian & General Counsel;
Kelsey Williams, Clerk; Caroline Lynch, Chief Counsel,
Subcommittee on Crime, Terrorism, Homeland Security, and
Investigations; (Minority) Perry Apelbaum, Staff Director &
Chief Counsel; Aaron Hiller, Chief Oversight Counsel; Joe
Graupensperger, Chief Counsel, Subcommittee on Crime,
Terrorism, Homeland Security, and Investigations; Tiffany
Joslyn, Deputy Chief Counsel, Crime, Terrorism, Homeland
Security, and Investigations; and Veronica Eligan, Professional
Staff Member.
Mr. Goodlatte. Good morning. The Judiciary Committee will
come to order, and without objection, the Chair is authorized
to declare recesses of the Committee at any time. We welcome
everyone to this morning's legislative hearing on H.R. 699, the
``Email Privacy Act,'' and I'll begin by recognizing myself for
an opening statement.
[The bill, H.R. 699, follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Today's hearing examines H.R. 699, the
``Email Privacy Act,'' and the need to modernize the Electronic
Communications Privacy Act, or ECPA. In enacting ECPA nearly 30
years ago, Congress declared that the law's purpose was to
achieve a fair balance between the privacy expectations of
American citizens and the legitimate needs of law enforcement
agencies. Reforming this decades old outdated law has been a
priority for me as Chairman of this Committee, and I've been
working with Members of Congress, advocacy groups, and law
enforcement for years on many complicated nuances involved in
updating this law.
I am pleased to now hold this important hearing to examine
the leading reform proposal in the House, H.R. 699, and to
examine in more detail the nuances Congress must consider in
updating this law. While technology has undoubtedly outpaced
the law in the last three decades, the purpose of the law
remains steadfast. I am confident that Congress will once again
strike that balance and do so in a way that continues to
promote the development and use of new technologies and
services, and create a statutory framework that will modernize
the law to reflect how people communicate with one another
today and in the future.
ECPA reform has broad sweeping implications. ECPA, and more
specifically, the Stored Communications Act, governs Federal,
State, and local government access to stored email, account
records, and subscriber information from telephone, email, and
other service providers. ECPA not only applies when law
enforcement seeks information in a criminal investigation, but
also in civil investigations and for public safety emergencies.
H.R. 699, at its core, establishes for the first time, in
Federal statute, a uniform warrant requirement for stored
communications content in criminal investigations, regardless
of the type of service provider, the age of an email, or
whether the email has been opened. I support the core of H.R.
699, which would establish a standard that embodies the
principles of the Fourth Amendment and reaffirms our commitment
to protecting the privacy interests of the American people.
However, our adherence to the Fourth Amendment should not
end there. Congress can ensure that we are furthering the
legitimate needs of law enforcement through ECPA reform by
joining with the warrant requirement recognized exceptions and
procedures designed to further the legitimate needs of law
enforcement. One of the goals of this legislation is to treat
searches in the virtual world and the physical world equally,
so it makes sense that the exceptions to the warrant
requirement and the procedures governing service of warrants
should also be harmonized.
It is well settled law that the government may conduct a
search in the absence of a warrant in certain instances,
including when the government determines that an emergency
exists requiring the search, or when the government obtains the
consent of the owner of the information. The Stored
Communications Act, however, created a framework unique to the
electronic world in which even in an emergency or with a
consent of the customer, disclosure of email content or even
noncontent records is voluntary at the discretion of the
provider. It is also well established law that a search warrant
must be served at the place where the search or seizure occurs.
For 3 decades, ECPA warrants have been executed with the
provider because, as with any other third-party custodian, the
information sought is stored with them. H.R. 699 would now
require the government to also serve the warrant directly on
the criminal suspect, a proposal which has raised serious
public safety and operational concerns across the law
enforcement community.
Congress should also continue to ensure that civil
investigative agencies are able to obtain electronic
communication information for civil violations of Federal law.
Courts have routinely held that subpoenas satisfy the
reasonableness requirement of the Fourth Amendment. Unlike a
warrant, which is issued without prior notice, and is executed
often by force with an unannounced and unanticipated physical
intrusion. A subpoena commences an adversarial process during
which the person served with the subpoena may challenge it in
court before complying with its demands.
The Stored Communications Act currently authorizes the
issuance of a subpoena directly to the provider, albeit with a
requirement that the government notify the customer. But
Congress can go further to ensure that ECPA satisfies the
Fourth Amendment by requiring that any civil process authorized
by the law begin with service of a subpoena directly on the
customer.
In this context, the customer is provided notice and the
opportunity to contest the subpoena. Enforcement of the
subpoena through a court order issued by a Federal judge that
protects the rights and privileges of the customer, while
ensuring that evidence of illegal activity is not insulated
from investigators, would afford heightened protections beyond
that which the courts have deemed necessary to comport with the
Fourth Amendment.
Congress has enacted laws that impose penalties for certain
conduct, sometimes criminal penalties and sometimes civil. We
have established Federal agencies to enforce these laws with
the tools necessary to carry out that enforcement. Congress
should ensure that, in its efforts to modernize ECPA, we do not
eliminate access to evidence of violations of Federal law
simply because Congress chose to make those violations
punishable by civil penalties.
I want to thank our distinguished witnesses for being here
today, and I look forward to hearing from each of you on H.R.
699 and how to properly balance the privacy expectations of
American citizens and the legitimate needs of law enforcement.
And I look forward to working with all Members on both sides of
the aisle to modernize the Electronic Communications Privacy
Act. It is worth noting today that we also plan to hold a
separate hearing in the future on the issue surrounding law
enforcement access to information located on servers outside
the U.S. As with the broader topic of ECPA reform, that is an
issue with many nuances that we should carefully examine.
I would now like to ask unanimous consent to enter the
following items into the record: a statement dated
1 deg.December 1, 2015, from the Department of
Justice; a 2 deg.letter from the Federal Bureau of
Investigation Agents Association dated November 24, 2015; a
3 deg.letter from the National Association of Police
Organizations dated November 30, 2015; a 4 deg.letter
from the Association of Prosecuting Attorneys dated November
24, 2015; a 5 deg.letter from the Virginia Association
of Commonwealth Attorneys dated July 10, 2015; a
6 deg.letter from the Technology Councils of North
America dated November 30, 2015; a 7 deg.statement
from Americans for Tax Reform dated December 1, 2015; and a
8 deg.coalition letter signed by Tech Freedom and
other coalition members dated November 30, 2015.*
---------------------------------------------------------------------------
*Note: The material submitted by Mr. Goodlatte is not printed in
this hearing record but is on file with the Committee. See also ``For
the Record Submission--Rep. Goodlatte'' at:
http://docs.house.gov/Committee/Calendar/
ByEvent.aspx?EventID=104232.
Without objection, the items have been entered into the
record.
It's now my pleasure to recognize the Ranking Member of the
Judiciary Committee, the gentleman from Michigan, Mr. Conyers
for his opening statement.
Mr. Conyers. Thank you, Chairman Goodlatte, Members of the
Committee, and our honored witnesses here for the hearing, and
those who are in 2141 to participate in the listening of this
very important measure.
H.R. 699, the ``Email Privacy Act,'' enjoys I'm pleased to
say, the overwhelming bipartisan support in the House. As of
this morning, the bill has earned 304 cosponsors; 191
Republicans, 113 Democrats; and 27 Members of the House
Judiciary Committee.
Now, what do all of these Members have in common? First of
all, we agree that the Electronic Communications Privacy Act is
outdated and provides unjustifiably inconsistent standards for
government access to our stored communication. This statute
continues to serve as one of the main guarantees of our digital
privacy, but the law was designed in 1986, when few of us used
email, and even fewer imagined a world in which we could so
freely share information online.
The consequences of applying a 30-year-old understanding of
technology to modern communications are inconsistent, at best.
For example, the law seems to apply different standards for
government access to the same email at different points in its
lifecycle, when it's drafted, when it's transmitted, when it's
opened by its recipient, and when it is archived in the cloud.
We are not well served by a law whose application is
unpredictable and that the courts have had great difficulty in
interpreting. Because of the rapid pace of technological
change, this situation will only get worse if we do not act.
Secondly, the sponsors of this bill agree that the
government should be obligated to show probable cause before it
can require a provider to disclose the content in its
customer's mail, no matter how old the message is. This
standard is consistent with the holding of the Sixth Circuit
court in the Warshak case in 2010. That case motivated the
Department of Justice to voluntarily adopt a warrants for email
standard. It also effectively ended the unconstitutional use of
subpoenas to compel third parties to produce content in civil
enforcement actions.
Current law requires the government to show probable cause
and obtain a warrant only for email that has been in storage
for 180 days or less. But the government can use and subpoena
for the same email if it's stored for 1 day longer. This is no
longer acceptable to most Americans. As the Sixth Circuit
rightly observed, citizens have the same reasonable expectation
of privacy in their email before and after the 180-day mark,
and as the Department of Justice testified soon thereafter,
there is no principal basis to treat email less than 180 days
old differently than email more than 180 days old.
Thirdly, the sponsors of H.R. 699 all agree that current
law is not adequate to protect new forms of digital
communication. Content is content. Our expectation of privacy
does not diminish merely because Congress didn't think of the
medium when it last visited the statute. The law should protect
electronic communications across the board, email, text
messages, private messages of all sorts, and other forms of
digital information stored in the cloud.
Finally, the sponsors of this bill agree that we must act
without delay. We have an obligation to provide clear standards
to law enforcement with respect to emerging technologies. We
should also recognize that American businesses cannot sustain
these new technologies if consumers cannot trust them.
As the Committee takes up this bill, we should ensure that
it does not conflict with the basic notion that the
government's seizure of our email without a warrant violates
the Fourth Amendment, but we should note that this principle
has already taken hold across the Federal Government. The
Department of Justice already uses warrants for email in
criminal cases. The government stopped using lesser process in
the civil context years ago.
In short, Mr. Chairman and Members, this legislation
accomplishes two vital tasks. It updates the statute for modern
use, and it does so without any significant interruption to law
enforcement. We should all come together on this bill as soon
as possible, and I want to personally thank the witnesses for
being with us today and for their testimony, and I urge my
colleagues to give this measure their full support, and I thank
the Chairman.
Mr. Goodlatte. Thank you, Mr. Conyers. And before we swear
in the witnesses, I'd like to recognize the presence of the
chief sponsor of the legislation, the gentleman from Wisconsin,
Mr. Yoder. Thank you for being with us today. Kansas, Kansas,
Kansas. The gentleman from Wisconsin says he'll take you.
We welcome our distinguished witnesses today, and if you
would all please rise, I'll begin by swearing you in. If you'd
please raise your right hand.
Do you and each of you swear that the testimony that you
are about to give shall be the truth, the whole truth, and
nothing but the truth, so help you God?
Thank you very much. You may please be seated, and let the
record reflect that the witnesses have responded in the
affirmative.
Mr. Andrew Ceresney is the director of the enforcement
division at the United States Securities and Exchange
Commission, where he has served since 2013. Prior to joining
the SEC, Mr. Ceresney served as the assistant United States
Attorney in the U.S. Attorneys Office for the Southern District
of New York where he was a deputy chief appellate attorney and
a member of the Securities and Commodities Fraud Task Force in
the Major Crimes Unit. As a prosecutor, Mr. Ceresney handled
numerous white-collar criminal investigations, trial and
appeals, including matters related to securities fraud, mail
and wire fraud, and money laundering. He is a graduate of
Columbia College and Yale law school.
Mr. Steven Cook is president of the National Association of
Assistant U.S. Attorneys. He currently serves as the chief of
staff of the criminal division of the U.S. Attorney's Office
for the Eastern District of Tennessee. He has been an assistant
U.S. Attorney for 29 years. In this capacity, he has worked in
the Organized Crime Drug Enforcement Task Force and the General
Crimes Section where he handled white-collar crime, fraud, and
public corruption. He also served as the deputy criminal chief
in the narcotics and violent crime section. Prior to joining
the U.S. Attorney's Office, Mr. Cook was a police officer for 7
years in Knoxville, Tennessee. He earned a JD from the
University of Tennessee.
Mr. Richard Littlehale is the assistant special agent in
charge at the Tennessee Bureau of Investigation. In addition to
his duties as an investigative supervisor, Mr. Littlehale
serves as an advisor and trainer in criminal law and procedure,
as well as the Bureau's chief firearms instructor. Mr.
Littlehale is a frequent presenter to community organizations
on ways to protect children online. He is active in engaging
the legal community on better ways to protect children from
victimization. Mr. Littlehale received a bachelor's degree from
Bowdoin College and JD from Vanderbilt University.
Mr. Chris Calabrese is the vice president for policy at the
Center for Democracy and Technology where he oversees the
center's policy portfolio. Before joining CDT, Chris served as
legislative counsel at the American Civil Liberties Union
legislative office where he led advocacy efforts relating to
privacy, new technology, and identification systems. Prior to
joining the ACLU, Chris served as legal counsel to the
Massachusetts Senate majority leader. Chris is a graduate of
Harvard University and holds a JD from the Georgetown
University Law Center.
Mr. Richard Salgado is the director of law enforcement and
information security at Google. Mr. Salgado oversees Google's
global law enforcement and national security efforts and legal
matters relating to data, security, and investigations.
Previously, Mr. Salgado worked with Yahoo and also served as
senior counsel in the computer crimes section of the U.S.
Justice Department. As a prosecutor, he specialized in computer
network crime, such as hacking, wiretaps, denial of service
attacks, malicious code, and other technology driven privacy
crimes. In 2005, he joined Stanford law school as a legal
lecturer on computer crime, Internet business legal and policy
issues, and modern surveillance law. He received his JD from
Yale law school.
Mr. Paul Rosenzweig is the founder of Red Branch
Consulting, a homeland security consulting company and a senior
advisor to the Chertoff Group. Mr. Rosenzweig formerly served
as deputy assistant secretary for policy in the Department of
Homeland Security. He is a distinguished visiting fellow at the
Homeland Security Studies and Analysis Institute. He also
serves as a lecturer in law at George Washington University and
adjunct professor at the National Defense University, a senior
editor of the Journal of National Security Law and Policy, and
is a visiting fellow at the Heritage Foundation. He earned a
bachelor's degree from Haverford College, a master's from
Scripps Institution of Oceanography, and a JD from the
University of Chicago law school.
Your written statements will be entered into the record in
their entirety, and we ask that each of you summarize your
testimony in 5 minutes. To help you stay within that time,
there's a timing light on your table. When the light switches
from green to yellow, you have 1 minute to conclude your
testimony. When the light turns red, that's it, time's up, and
it signals that your time has expired.
Mr. Ceresney, am I pronouncing your name correctly?
Mr. Ceresney. You are.
Mr. Goodlatte. Thank you very much, and you may begin.
TESTIMONY OF ANDREW CERESNEY, DIRECTOR, DIVISION OF
ENFORCEMENT, UNITED STATES SECURITIES AND EXCHANGE COMMISSION
Mr. Ceresney. Good morning, Chairman Goodlatte. Good
morning, Chairman Goodlatte, Ranking Member Conyers, and
Members of the Committee. Thank you for inviting me to testify
today on behalf of the commission concerning Email Privacy Act,
H.R. 699, pending before your Committee.
The bill seeks to modernize portions of the Electronic
Communications Privacy Act, ECPA, which became law in 1986. I
share the goal of updating ECPA's evidence collection
procedures and privacy protections to account for the digital
age, but H.R. 699, in its current form, poses significant risks
to the American public by impeding the ability of the SEC and
other civil law enforcement agencies to investigate and uncover
financial fraud and other unlawful conduct.
I firmly believe there are ways to update ECPA that offer
stronger privacy protections and observe constitutional
boundaries without frustrating the legitimate ends of civil law
enforcement.
The SEC's tripartite mission is to protect investors,
maintain fair, orderly, and efficient markets, and facilitate
capital formation. The SEC's division of enforcement furthers
this mission by, among other things, investigating potential
violations of the Federal securities laws, recommending that
the commission bring cases against alleged fraudsters and other
securities law wrongdoers, and litigating the SEC's enforcement
actions.
A strong enforcement program is a critical piece of the
commission's efforts to protect investors from fraudulent
schemes and promotes investor trust and confidence in the
integrity of the Nation's securities markets.
Electronic communications often provide critical evidence
in our investigations as email and other message content can
establish timing, knowledge or relationships in certain cases,
or awareness that certain statements to investors were false or
misleading. When we conduct an investigation, we generally will
seek emails and other electronic communications from the key
actors through an administrative subpoena.
In some cases the person whose emails are sought will
respond to our request, but in other cases, the subpoena
recipient may have erased email, tendered only some emails,
asserted damaged hardware, or refused to respond.
Unsurprisingly, individuals who violate the law are often
reluctant to produce to the government evidence of their own
misconduct.
In still other cases, email account holders cannot be
subpoenaed because they are beyond our jurisdiction. It is at
this point in the investigation that we may, in some instances,
need to seek information from an Internet service provider,
also known as an ISP. The proposed amendment would require
government entities to procure a criminal warrant when they
seek the content of emails and other electronic communications
from ISPs.
Because the SEC and other civil law enforcement agencies
cannot obtain criminal warrants, we would effectively not be
able to gather evidence, including communications such as
emails directly from an ISP, regardless of the circumstances,
even in instances where a subscriber deleted his emails,
related hardware was lost or damaged, or where the subscriber
fled to another jurisdiction. Depriving the SEC of authority to
obtain email content from an ISP would also incentivize
subpoena recipients to be less forthcoming in responding to
investigatory requests, because an individual who knows that
the SEC lacks the authority to obtain his emails may thus feel
free to destroy or not produce them.
These are not abstract concerns for the SEC, or for the
investors we are charged with protecting. Among the type of
scams we investigate are Ponzi schemes and ``pump and dump''
market manipulation schemes, as well as insider trading
activity. In these types of fraud, illegal acts are
particularly likely to be communicated via personal accounts,
and parties are more likely to be noncooperative in their
document productions.
Technology has evolved since ECPA's passage, and there is
no question that the law ought to evolve to take account of
advances in technology and protect privacy interests, even when
significant law enforcement interests are also implicated. But
there are various ways to strike an appropriate balance between
those interests as the Committee considers the best way to
advance this important legislation.
Any reform to ECPA can and should afford a party whose
information is sought from an ISP in a civil investigation an
opportunity to participate in judicial proceedings before the
ISP is compelled to produce this information. Indeed, when
seeking email content from ISPs in the past, the division has
provided notice to email account holders in keeping with
longstanding and just recently reaffirmed Supreme Court
precedent.
If the legislation were so structured, an individual would
have the ability to raise with a court any privilege,
relevancy, or other concerns before the communications are
provided by an ISP, while civil law enforcement would still
maintain a limited avenue to access existing electronic
communications in appropriate circumstances from ISPs. Such a
judicial proceeding would offer even greater protection to
subscribers than a criminal warrant in which subscribers
receive no opportunity to be heard before communications are
provided.
We look forward to discussing with the Committee ways to
modernize ECPA without putting investors at risk, and impairing
the SEC from enforcing the Federal securities laws. I'm happy
to answer any questions you may have.
[The prepared statement of Mr. Ceresney follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you. Mr. Cook, welcome.
TESTIMONY OF STEVEN H. COOK, PRESIDENT, NATIONAL ASSOCIATION OF
ASSISTANT UNITED STATES ATTORNEYS
Mr. Cook. Chairman Goodlatte, Ranking Member Conyers, and
Members of the Committee, first of all, thank you very much for
giving me the opportunity to address you and to give you the
perspective of career prosecutors with respect to H.R. 699.
And let me get right to it. The importance of the Stored
Communications Act or SCA, to the law enforcement community
simply cannot be overstated. At issue are records of contact
and communication by Internet and cell service providers. To
understand the importance of these records to the law
enforcement world, I'd ask you to pause and think for a minute
about how these powerful resources are being used in the
criminal world.
Child predators troll the Internet 24/7 for children to
lure them away from their parents and their homes. Purveyors of
child pornography often, with graphic pictures of children,
sometimes infants being sexually molested, sell those images
electronically across the Internet. Terrorists boast of their
horrific crimes posting pictures of those online, and
international drug dealers, gangs, and others involved in
organized crime communicate effectively with coconspirators
through email and texts.
When you realize how pervasive this technology is in the
criminal world, you quickly realize that the evidence covered
by the SCA, or the Stored Communications Act, is central to our
ability to solve virtually every type of crime. And our ability
to access this information covered by the SCA and to access it
quickly, can literally mean the difference between life and
death. It can mean the difference between recovering a child
alive and returning her to her parents, instead of the child
being a victim of a vicious predator determined to commit
unspeakable crimes.
And even beyond the critical role of stopping violent
crimes in progress and rescuing victims, evidence covered by
the Stored Communications Act is often central to the search
for truth in our courts and our ability to bring those most
dangerous in our community to justice.
But here are the problems with ECPA, and both the opening
statements by the Chair and Ranking Member recognize this, ECPA
and the Stored Communications Act were enacted in 1986. That
was before much of this technology was in use, before any of us
had any idea of its capabilities. And to continue to use a
statutory framework with definitions that were enacted before
any of this technology was known is just simply not workable.
It does not fit.
That brings me back to H.R. 699. The primary goal of this
bill seems to be to codify, correctly we would submit, Warshak
and the extension of the Fourth Amendment protections to email
in storage, and text in storage over 180 days. This is an issue
on which we can all agree, but the bill goes farther. It goes
much farther, and we respectfully submit, demonstrates a need
for a comprehensive, not piecemeal reform. In my written
testimony, I have addressed a number, but by far, not all of
the concerns that we have.
I'd like to highlight two places where this bill creates or
perpetuates limitations on law enforcement that far exceed
those imposed, far exceed those imposed anywhere else in the
law, burdens greater than those related to the search of a
home, burdens greater than those related to the search of a
body cavity.
While the Email Privacy Act expands Fourth Amendment
protections and imposes a warrant requirement to compel
disclosure of stored email or text, the statute does not
recognize any of the well-established exceptions to the warrant
requirement that would be applicable in every other
circumstance. I know of no other area of the law where this is
the case.
Second, the Email Privacy Act also imposes notice
requirements unlike those found anywhere else in the law. The
government has long been required to serve a copy of the search
warrant on the person at the property being searched, and that
requirement makes sense. It demonstrates to the homeowner or
the business operator the authority for the search, and that
homeowner or property owner is then free, in the usual course,
to tell whoever they wish about it.
But the government has never been required and the law has
never required the government to reach out to third parties and
notify them of the search. It's not a discovery provision
designed to alert those who are under criminal investigation of
the ongoing investigation. And although there are specific, in
fact, two-and-a-half pages of rules that would control when
that can be extended, this simply is a rule that has never been
imposed in any other context.
In conclusion, I'd just like to say that criminals have,
and we have seen that they have unlimited access to these
modern and powerful resources, and they make full use of them.
For us on the law enforcement side to do our job, access to
this information is critical. Information covered by the SCA
has to be accessible to us.
That access, we respectfully recognize, of course, should
be consistent with the privacy protections afforded by the
Constitution, but Congress should not, as this bill proposes,
impose new unprecedented and unwarranted limitations that will
tie our hands in doing our jobs. Thank you.
[The prepared statement of Mr. Cook follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Mr. Cook.
Mr. Littlehale, welcome.
TESTIMONY OF RICHARD LITTLEHALE, ASSISTANT SPECIAL AGENT IN
CHARGE, TENNESSEE BUREAU OF INVESTIGATION
Mr. Littlehale. Chairman Goodlatte, Ranking Member Conyers,
Members of the Committee, thank you for inviting me to testify.
I'm a technical investigator in Tennessee, and I serve on the
technology committee of the Association of State Criminal
Investigative Agencies. As you know, State and local law
enforcement agencies work the vast majority of criminal
investigations in this country. Lawful access to electronic
evidence is critical for us in those cases every day, and H.R.
699, in its current form, does not sufficiently protect that
access.
To give you some sense of the volume of potential
electronic evidence in our cases, consider a stranger abduction
of a 4-day-old infant in Nashville. Over the course of an
intensive 4-day investigation, my unit processed and explored
leads on hundreds of telephone numbers, social media accounts,
computers, and mobile devices. At a time when every second
counts, my fellow agents and I spend a significant amount of
time simply trying to make contact with various providers to
declare an emergency, calling and recalling to make sure that
our process was received and expedited. We had to process
hundreds of leads, any one of which could have been the key to
finding the victim.
Volume alone isn't the only issue. We must also contend
with a lack of structure governing responsiveness. In another
Amber alert investigation, we received a lead that the creator
of a posting on a social media platform may have information
about the child's location. When we contacted the provider,
they noted that ECPA's emergency provision is permissive rather
than mandatory and demanded legal process before they turn over
the records.
We know H.R. 699 has a great deal of support, but we
believe much of that support is based on only one part of the
bill, creating a uniform probable cause standard for stored
content. Advocates for ECPA reform argue that the contents of
an email or document stored in the cloud should be subject to
the same protections as a letter in your desk drawer at home.
H.R. 699 would do that, but it goes farther to create an
enhanced statutory framework of proof standards, notice
requirements, and expand the definitions of covered records
that you would give greater protection for records stored by
third-party service providers than for that envelope in your
desk. And it would do this without extending any of the tools
that law enforcement can use to obtain evidence in the physical
world after we demonstrate probable cause to a neutral
magistrate and get a warrant, like law enforcement controlled
warrant exceptions and warrant execution timelines.
Bringing ECPA into balance should put the physical and
digital worlds on the same plane, not favor digital evidence
over physical evidence. H.R. 699 should be amended to reflect a
more balanced approach that protects privacy and ensures that
law enforcement can access the evidence it needs, and when we
get a warrant, it should behave like a warrant not a subpoena
with a higher proof requirement.
Demonstrating probable cause to a neutral magistrate should
allow us to gather evidence with the same timeliness and
effectiveness that we would expect in the real world.
The notice provisions in the bill would require us to
describe our case to targets of a criminal investigation, even
as we're pursuing leads. That endangers investigations. We also
urge the Committee to carefully balance the need for
notification against the resource burden it places on us. Time
spent complying with arbitrary timelines means less time
investigating crimes and could compromise sensitive
information.
I urge you to ensure that whatever standard of proof you
decide is appropriate, you also ensure that law enforcement can
access the evidence we need reliably and quickly. Speed is
important in all investigations, and ECPA reform should impose
structure on service providers' response to legal demands. A
requirement for automated exchange of legal process and records
with service providers would help speed access to evidence,
provide transparency, and authenticate law enforcement process.
Warrants under EPCA should look like warrants everywhere
else. That means that standard exceptions to the warrant
requirement like exigency and consent should exist, and law
enforcement should control whether or not they are invoked,
just like we can do when executing warrants in the physical
world. Everybody agrees that law enforcement should have rapid
access to communications evidence in a life-threatening
emergency, but that is not always the reality.
Industry and privacy groups suggest that some law
enforcement emergency declarations are unfounded, but those are
unreviewed unilateral determinations. Isn't law enforcement on
the ground in the best position to assess the presence or
absence of defensible exigency in a particular case? We already
do it in other contexts all the time, and there is an existing
body of case law in the courts to determine whether or not we
are correct.
In closing, I want to re-emphasize how important both
aspects of ECPA are to our Nation's criminal investigators. We
agree that ECPA should be updated, but any effort to reform it
should reflect its original balance between assuring law
enforcement access to evidence through legal demands and
protecting customer privacy.
The balance proposed by H.R. 699 goes too far in extending
all the burdens of the traditional search warrant scheme to a
much broader range of records without any of the common law
exceptions, while requiring us to give unprecedented notice to
investigative targets just because the evidence we're seeking
is electronic.
Thank you for having me here today, and I look forward to
your questions.
[The prepared statement of Mr. Littlehale follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you.
Mr. Calabrese, I think maybe I have your pronunciation
correct now. Is that right?
Mr. Calabrese. You actual were right the first time. It's
Calabrese, but I'll take it however you give it. Thank you.
Mr. Goodlatte. Thank you. I'm on a losing streak here, but
go ahead.
TESTIMONY OF CHRIS CALABRESE, VICE PRESIDENT,
POLICY, CENTER FOR DEMOCRACY AND TECHNOLOGY
Mr. Calabrese. Well, thank you, Mr. Chairman, for having me
testify. That's the thing we appreciate the most.
Ranking Member Conyers, Members of the Committee, thank you
for the opportunity to testify on behalf of the Center for
Democracy and Technology. CDT is a nonpartisan advocacy
organization dedicated to protecting privacy, free speech, and
innovation online. We applaud the Committee for holding a
hearing on the Electronic Communications Privacy Act, ECPA, and
urge the Committee to speedily approve H.R. 699, the ``Email
Privacy Act.''
When ECPA was passed in 1986, it relied on balancing three
policy pillars: Individual privacy, the legitimate needs of law
enforcement, and support for innovation. Changes in technology
have eroded this balance. The reliance on trusted third parties
for long-term storage of our communications have left those
communications with limited statutory protections. This void
has created legal uncertainty for cloud computing, one of the
major business innovations of the 21st Century and one at which
U.S. companies excel.
At the same time, information accessible to the government
has increased dramatically from emails and text messages to
social networking posts and photos. Most if not all, of this
information would not have been available in 1986. The
technology has changed but the law has not, creating a major
loophole for Americans' privacy protections.
In the face of this outdated statute, courts have acted,
recognizing in cases like U.S. v. Warshak that people have a
reasonable expectation of privacy in email and invalidating key
parts of ECPA. But that patchwork is not enough on its own. It
continues to lag behind technological change and harms smaller
businesses that lack an army of lawyers. It also creates
uncertainty around new technologies that rely on the use and
storage of the contents of communications.
Reform efforts face a concerted assault from civil agencies
that seek to gain new powers and blow a huge privacy loophole
in the bill. Agencies have blocked reform in spite of the fact
that the SEC has confessed to never subpoenaing an ISP post-
Warshak. No less than FBI Director Comey told this Committee
that in regard to ECPA, a change wouldn't have any effect on
our practices.
In fact, new civil agency powers would harm the privacy of
ordinary citizens. Imagine if the IRS had had these powers back
from 2010 to 2012 when they were improperly investigating the
tax status of Tea Party organizations. During that
investigation, the IRS sent lengthy time-consuming
questionnaires seeking information on what members were
reading, their Facebook posts, donor lists, and copies of the
materials they were disseminating. While the IRS' targeting of
conservative groups was limited to these lengthy
questionnaires, their subpoena authority is extremely broad and
likely could have been used here.
If the IRS had had the power that the SEC proposal
recommends be granted to all Federal agencies, they would have
been able to go beyond gathering information directly from the
target of the investigation. The IRS would have been able to go
to court and enforce an order allowing them to go directly to
the ISP and seek the subject's email. While under the SEC
proposal, the subject in the investigation would have been able
to contest that order in court, civil standards are very low,
and it's clear that the IRS had a very expansive idea of the
information they could seek. This type of agency overreach is
exactly why we can't grant agencies unjustified new
authorities.
Support for privacy reform is deep and abiding. More than
100 tech companies, trade associations, and public interest
groups have signed onto ECPA reform principles. Signatories
include nearly the entire tech industry, span the political
spectrum, and represent privacy rights, consumer interests, and
free market values.
The Email Privacy Act has more than 300 cosponsors,
including a majority of Republicans and Democrats. Post-
Warshak, a warrant for content has become the status quo.
Nonetheless, it is critical for the Committee to approve H.R.
699 in order to cure a constitutional defect in ECPA, protect
individual privacy, and assure that new technologies continue
to enjoy robust constitutional protections. Thank you.
[The prepared statement of Mr. Calabrese follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Mr. Calabrese.
And Mr. Salgado, welcome.
TESTIMONY OF RICHARD SALGADO, DIRECTOR, LAW ENFORCEMENT AND
INFORMATION SECURITY, GOOGLE INC.
Mr. Salgado. Chairman Goodlatte, Ranking Member Conyers,
and Members of the Committee, thank you for the opportunity to
appear before you today. My name is Richard Salgado. As
director----
Mr. Goodlatte. Mr. Salgado, would you pull your microphone
a little closer to you.
Mr. Salgado. Sure. Thank you. My name is Richard Salgado.
I'm director for law enforcement and information security for
Google. I oversee the company's compliance with government
requests for users' data, including requests made under the
Electronic Communications Privacy Act of 1986, otherwise known
as ECPA.
In the past, I have worked on ECPA issues as a senior
counsel in the computer crime and intellectual property section
in the U.S. Department of Justice. Google strongly supports
H.R. 699, the ``Email Privacy Act,'' which currently has 304
cosponsors, more than any other bill currently pending in
Congress. It's undeniable and it's unsurprising that there is
strong interest in aligning ECPA with the Fourth Amendment and
users' reasonable expectation of privacy.
The original disclosure rules set out in ECPA back in 1986
were foresighted given the state of technology back then. In
2015, however, those rules no longer make sense. Users expect,
as they should, that the documents they store online have the
same Fourth Amendment protections as they do when the
government wants to enter the home to seize the documents
stored in a desk drawer. There is no compelling policy or legal
rationale for there to be different rules.
In 2010, the Sixth Circuit opined in United States v.
Warshak that EPCA violates the Fourth Amendment to the extent
it does not require law enforcement to obtain a warrant for
email content. In doing so, the Sixth Circuit effectively
struck down ECPA's 180-day rule and the distinction between
opened and unopened emails as irreconcilable with the
protections afforded by the Fourth Amendment.
Warshak is effectively the law of the land today. It's
observed by governmental entities and companies like Google and
others. In many ways, H.R. 699 is a modest codification of the
status quo and implementation of the Sixth Circuit's
conclusions in Warshak.
Two important developments have occurred since I last
testified before the House Judiciary Committee in support of
updating ECPA back in March of 2013, both of which have a
significant bearing on efforts to update the statute.
First, the Supreme Court issued a landmark decision in
Riley versus California where it unanimously held that,
generally, officers must obtain a warrant before searching the
contents of a cell phone seized incident to arrest.
Chief Justice Roberts noted that a regime with various
exceptions and carve outs would ``contravene our general
preference to provide clear guidance to law enforcement through
categorical rules.'' To reinforce the constitutional imperative
for clear rules in this area, Chief Justice Roberts concluded
his opinion with unambiguous direction to law enforcement. He
wrote, ``The fact that technology allows an individual to carry
such information in his hand does not make the information any
less worthy of the protection for which the Founders fought.
Our answer to the question of what police must do before
searching a cell phone seized incident to arrest is accordingly
simple, get a warrant.''
Notably, this Committee is being asked by some today to
jettison precisely the type of categorical rules that the
Supreme Court held were imperative in Riley. Doing so would
undermine the user's reasonable expectations of privacy and
encroach on core privacy protections afforded by the Fourth
Amendment. We urge the Committee to reject such pleas.
Second, many States have enacted bright-line rules to bring
their State versions of ECPA in line with the Fourth Amendment.
Hawaii, Texas, and Maine have all done this. In addition,
earlier this year, the California legislature overwhelmingly
approved landmark legislation to update California's version of
ECPA, referred to as Cal-EPCA. Not only does Cal-EPCA require
the government to obtain a warrant before it can compel third-
party service providers to disclose content, but it also
extends the warrant requirement to communications metadata and
data seized that's stored on electronic devices.
States are appropriately recognizing that the Fourth
Amendment protections ought to extend to the sensitive data
that's stored in the cloud. H.R. 699 represents an overdue
update to ECPA that would ensure electronic communications
content is treated in a manner commensurate with other papers
and effects that are protected by the Fourth Amendment. It's
long past time for Congress to pass a clean version of H.R.
699.
Thank you for your time and consideration, and I'd be happy
to answer any questions you may have.
[The prepared statement of Mr. Salgado follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you, Mr. Salgado.
Mr. Rosenzweig, welcome.
TESTIMONY OF PAUL ROSENZWEIG, VISITING FELLOW, THE HERITAGE
FOUNDATION, FOUNDER, RED BRANCH CONSULTING
Mr. Rosenzweig. Thank you very much, Mr. Chairman, Ranking
Member Conyers. I appreciate very much the opportunity to come
before you today to testify about the Email Privacy Act and the
underlying principles of balancing privacy and law enforcement
needs that are inherent here.
As you know, I am a former prosecutor, having spent 12
years in various roles throughout government. I then became a
deputy assistant secretary for the Department of Homeland
Security with significant responsibility for our
counterterrorism efforts, and today I operate a small
consulting company, and I serve as a visiting fellow at the
Heritage Foundation. From this perspective, I am pleased to
acknowledge that everybody on this panel agrees that a warrant
requirement for content of email is an appropriate response to
changing technology.
It seems to me almost beyond belief that notwithstanding
the uniform agreement of that principle, we have been unable to
work out the details of how to implement that as a matter of
statutory law. To my mind, that principle has its roots not in
our agreement here, but rather in the longstanding
understanding of the privacy of one's personal papers and
effects that goes back to the very foundings of this Nation.
The most famous case of which was the Wilkes versus Wood
case. Wilkes was a protestor, much like some of the people in
America today, whose papers and effects were the subject of a
general warrant. That search by the Crown at that time was one
of the most salient effects that drove the Revolutionary
movement. Likewise, the Writs of Assistance case, which James
Otis famously lost, unfortunately, in Massachusetts, was what
John Adams said was the spark that lit the flame of the
Revolution.
Today, email are our private papers. The ISPs that transmit
my email to you are the equivalent, functional equivalent of
the post office, and the cloud storage system that I use to
store that information is the functional equivalent of the file
cabinet in my office. There is no ground that I can see that is
consistent with what the Framers understood our personal
privacy and papers to be to exclude that information from the
full protection of the warrant.
And I would add that our history of Fourth Amendment
understanding has followed the development of technology by
consistently applying that same principle. When the Supreme
Court was faced with the idea of telephones in the Katz case
back in the 1960's, they saw that those types of personal
communications ought to be subject to the exact same sorts of
constitutional protections. This notwithstanding the fact that
of course telephones were unknown to the Founders, and over the
dissent of Justice Black who said, you know, history says there
are no telephones, if it's not in the Fourth Amendment, it
shouldn't be in the Fourth Amendment.
Likewise, as Mr. Salgado has said, we've recently come to
understand that the cell phones in our pockets are not just
telephones. They are now mini-computers that contain the stuff
and substance of everything that we know and understand, so,
too, I would submit, with the content of our email
communications and our stored data in cloud service providers,
whether it's Google, or Microsoft, or Yahoo, or Dropbox, this
is where we store our data today.
So what's the debate? What's left? All that I hear that is
left is the application of exceptions that are carve outs and
restrictions on this general warrant requirement. And to some
degree, that has an intellectual appeal to it, doesn't it,
because we've had exceptions to the Fourth Amendment for
awhile, but I doubt that that's really what the advocates for
the exceptions are suggesting, because I certainly have not
heard any of them suggest that we should adopt as well the
Fourth Amendment suppression rules for when evidence is
wrongfully collected in violation of these exception
requirements.
The truth is that we've had no--when ECPA was first passed
in the 1980's, no exception for an emergency at all. The
current statute was added in 2001, post 9/11 at the suggestions
of the Department of Justice. So it's kind of passing strange
that we would see that exception and expansion of it held out
now as a reason to oppose the fundamental changes that are
necessary in light of technology.
I would submit to you that the time is ripe for change and
the principle is clear. In the normal law enforcement context,
police, FBI, and law enforcement officers should have no more
access to stored email than they do to our stored private
letters. I would urge this Committee to give the bill before
you plenary consideration in a markup and move it to the floor
for consideration where these issues can be hashed out. And
with that, I thank you very much. I look forward to answering
your questions.
[The prepared statement of Mr. Rosenzweig follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
__________
Mr. Goodlatte. Thank you. And we'll now proceed under the
5-minute rule with questioning of the witnesses, and I'll begin
by recognizing myself.
Mr. Salgado, if Congress were to issue a subpoena to Google
for the contents of a customer's emails, would that subpoena
violate the Fourth Amendment?
Mr. Salgado. That's a question I would have to look into as
to how the Fourth Amendment applies to Congress, so I've not
done enough research to be able to answer that with much
confidence. I would say that the changes we're talking about
today to ECPA would not in any way affect the investigative
powers of Congress.
Mr. Goodlatte. I think it's a very important question,
however, because if you can't answer that question from me
right now, answer this question. What's the constitutional
distinction between congressional and executive subpoenas?
Mr. Salgado. Again, I'd probably have to investigate that.
The Fourth Amendment is what the Fourth Amendment is, so if
there is a restriction there that's based on the Constitution,
that exists regardless of what we do with ECPA.
Mr. Goodlatte. If the subpoena issued to Google for the
contents of a customer's emails, the customer might be a
government employee who is acting outside of the government's
servers and email system and is storing data on Google's cloud,
what ability would the Congress have to conduct oversight if
your finding is that it violates the Fourth Amendment?
Mr. Salgado. I don't know that it would, but I do note that
Congress would have all the authority it does now to direct the
subpoena to the user to get the information directly from the
user.
Mr. Goodlatte. We would very much appreciate your taking
some time to think about the answer to that question because
it's a very important question with regard to how we address
this. Because there either is not a violation, in which case
the question arises what's the constitutional distinction
between congressional and executive subpoenas, or there is a
constitutional violation, in which case the Congress' ability
to conduct proper oversight of the executive branch is a very
significant one.
Mr. Salgado. I'd be happy to answer the question. I don't
think it touches on the question of this particular step, this
particular bill, but I'd be very happy to look into that for
you.
Mr. Goodlatte. Thank you.
Mr. Ceresney, critics of a civil mechanism cite to the fact
the SEC has not sought to serve a subpoena on a commercial
provider in the 5 years since the Sixth Circuit's decision in
U.S. v. Warshak. You've heard some of those criticisms right
here on this panel today.
They say it's not really a problem that needs to be solved
because of that fact. Is this true? And if so, why hasn't your
agency sought to challenge the warrant only policy adopted by
many providers following Warshak?
Mr. Ceresney. So Congressman, the decision was made at the
time. I wasn't at the SEC at the time, but after Warshak, a
decision was made in excess of caution not to issue subpoenas
to ISPs without consent of the subscriber. And since I've been
at the SEC, we have held off on doing that in deference to the
discussions have have been ongoing in Congress about amending
ECPA.
At the same time, we have never felt like Warshak precluded
us from obtaining email under the Constitution pursuant to a
subpoena with notice to the subscriber. Warshak dealt with a
grand jury subpoena with no notice to a subscriber, and it did
not undermine a long line of case law that exists, that holds
that where a subscriber or the party you're seeking email from
or seeking material from has precompliance review before a
court that that satisfies the Fourth Amendment. It is true that
we have not done it, but I can tell you there are cases ongoing
which----
Mr. Goodlatte. I know that you haven't done it. I want to
know why.
Mr. Ceresney. Right. And that is because in an excess of
caution at the time and in deference to these discussions, you
know, in deference to the discussions that have been ongoing
before Congress about the decision of what to do to reform
ECPA. From our perspective, there are ongoing investigations
that would definitely benefit from ISP subpoenas where we have
not obtained email from a subscriber that we do know exists,
but we're not able to obtain it because we have not been
issuing subpoenas to ISPs.
Mr. Goodlatte. So how has that affected your ability to
conduct investigations?
Mr. Ceresney. I think it has affected our ability to
conduct investigations. We issue subpoenas to individuals all
the time for their email, and all the time there is instances
where those individuals either don't produce----
Mr. Goodlatte. And before Warshak, you would then issue a
subpoena to a third-party holder of those emails. Is that
correct?
Mr. Ceresney. That's correct.
Mr. Goodlatte. And since then, you haven't felt the need to
attempt to do that, and have the courts clarify this issue,
which now the Congress is being asked to clarify?
Mr. Ceresney. We have felt the need, Congressman, but we
have, in deference to these ongoing discussions in Congress
about reforming ECPA, determined not to do that. But we
certainly have identified cases where it would have been
helpful to do that to our efforts.
Mr. Goodlatte. All right. Let me ask one more question to
Mr. Littlehale. In addition to serving the warrant on the
customer, H.R. 699 also requires law enforcement to provide
notice to the customer of the nature of the law enforcement
inquiry with reasonable specificity.
Is law enforcement required to provide such information to
a person when they serve a search warrant on their home? What
is the harm if law enforcement is required to inform the
subject of investigation of the nature of the law enforcement
inquiry with reasonable specificity?
Mr. Littlehale. Mr. Chairman, in traditional search warrant
practice on the premises to be to served----
Mr. Goodlatte. Turn your microphone on, please.
Mr. Littlehale. Sorry, Mr. Chairman. In traditional search
warrant practice, the requirement is simply that law
enforcement leave a copy of the warrant and an inventory of
items seized on the premises to be searched.
And in the analogy to a service provider, an entity that is
in possession of evidence, we serve a copy of the warrant on
them, and we give them notice of the fact that we're requiring
them to produce the records.
H.R. 699 imposes an additional set of requirements that we
actually discuss something about the nature of our
investigation that goes beyond what's required in traditional
search warrant practice.
Mr. Goodlatte. Thank you very much. The gentleman from
Michigan, Mr. Conyers is recognized for 5 minutes.
Mr. Conyers. Thank you, Mr. Chairman. Before I begin my
questioning, I'd like to ask unanimous consent to introduce a
statement from the gentleman from Colorado, Mr. Jared Polis,
into the record. He's the lead Democratic Member on this bill,
and his views are worth consideration by the Committee. Can I
get a unanimous consent request approved?
Mr. Goodlatte. Without objection, it will be made a part of
the record.
[The information referred to follows:]
Prepared Statement of the Honorable Jared Polis,
a Representative in Congress from the State of Colorado
Chairman Goodlatte, Ranking Member Conyers, and Members of the
Committee:
Thank you for convening this important hearing on H.R. 699, the
Email Privacy Act. The Email Privacy Act is the most cosponsored bill
in Congress awaiting floor action, and the problem it addresses is one
of the most pressing constitutional concerns of our modern age: How can
we stop the advancement of technology from eroding our fundamental
right to privacy?
In the broadest possible terms, the obvious answer is that we need
to update our laws. Many of the laws governing the use of the
technology Americans most frequently use today were written long before
any of that technology existed or was even conceived of. Congress
simply cannot purport to protect Americans' constitutional rights while
leaving the federal government to enforce laws designed for a world
that doesn't exist anymore.
Today, the law governing many of our online privacy rights is the
Electronic Communications Privacy Act (ECPA) of 1986. In 1986, for the
vast majority of Americans, ``electronic communications'' meant a phone
call placed from a landline. In 1986, Apple had just released the
Macintosh Plus--a cutting-edge personal computer that provided users
with an entire megabyte of memory. Today, iPhone 6 users walk around
with 16,000 times that amount in their pockets. In 1986, the ``World
Wide Web'' was years away from taking off. Today, that term is already
a relic of the past.
As a result of Congress's failure to keep up with the pace of
technology, every American's email can be subject to warrantless
searches thanks to a 29-year-old legal loophole. Under ECPA, the
government has the ability to search through any digital communications
stored on a third-party server--such as your emails and instant
messages--without a warrant, as long as they are more than 180 days
old. In 1986, this loophole may have seemed reasonable because
individuals simply didn't leave their emails stored on a server for
months at a time. That kind of digital storage space just didn't exist,
so authorities considered emails not deleted after six months to be
abandoned. In 2015, however, consumers routinely store emails digitally
for months or even years at a time.
Most Americans have no idea that a law written 29 years ago allows
the government to open their old emails without probable cause. And
when they find out, they're shocked--because that reality is simply
impossible to square with the basic liberties guaranteed in our
Constitution. It simply makes no sense that our homes, cars, and
mailboxes are protected from unwarranted government searches but the
government can sift through our email inboxes with impunity.
Congress has the power to change that. The Email Privacy Act has
304 cosponsors in the House--a bipartisan, veto-proof supermajority of
Members of this body--and far-reaching support across all sectors of
the economy and across the political spectrum, from groups like the
Heritage Foundation and the American Civil Liberties Union to tech
startups, Fortune 500 companies, and Chambers of Commerce.
There are some federal officials calling for special carve-outs and
lower burdens of evidence in order to access Americans' old emails. I
urge the committee to resist these efforts to undermine the bill for
several reasons.
First, the sheer volume of support for this bill suggests that
Americans and their representatives in Congress overwhelmingly support
the legislation as written and do not believe electronic correspondence
should be subject to a lower standard of evidence than physical
documents when it comes to government searches.
Second, the authors of ECPA clearly did not anticipate a future in
which Americans have access to nearly unlimited storage space that
allows us to store our emails on the cloud in perpetuity. In asking for
a special carve-out from warrant requirements, these federal agencies
are asking for broad new search authorities that go far beyond the
intent of the 1986 legislation and that would significantly undercut
the intended reforms of the Email Privacy Act.
Third, the federal officials asking for these broad new authorities
have not put forward compelling evidence that the 180-days loophole has
served a legitimate law-enforcement purpose.
And finally, it is impossible to square a lower standard of
evidence for emails older than 180 days with the Constitution's 4th
amendment protections against unreasonable search and seizure. There is
simply no constitutional basis for exempting digital correspondence
from our privacy laws, and there is no compelling safety or crime-
prevention reason for doing so either.
The 180-days loophole is a longstanding problem with a simple,
bipartisan, broadly popular, noncontroversial solution at the ready.
With 304 cosponsors in the House, the Email Privacy Act is the most-
cosponsored bill of the 114th Congress not to receive a floor vote. I
urge the Committee to favorably report H.R. 699 so that it can finally
get a vote on the House floor, where I am confident it would pass with
overwhelming bipartisan support.
Thank you.
__________
Mr. Conyers. All right. Thank you. Let me begin my
questions with Chris Calabrese. I'm trying to find out why this
bill is so popular from your point of view. The Email Privacy
Act, 304 sponsors, privacy advocates, civil libertarians
support it, former prosecutors, Fortune 500 companies, and
small businesses across the country. More than 100,000
Americans have signed a petition urging the White House to
support this measure. How come?
Mr. Calabrese. Well, I think that Americans believe very
strongly in the values that underpin this Nation, the
fundamental idea of privacy and a balance between what
government can do and having rules around how they can do it.
All this bill does is the very modest step of bringing our
privacy protections into the 21st Century, and everybody agrees
with that.
A recent poll in the Washington Post said that 86 percent
of Americans supported reform. This panel is unified in saying
that we need a warrant for email. Now, we have some minor
issues around the edges, but honestly, I believe that this is a
bill that would pass Congress or pass the House of
Representatives by 300 or 400 votes.
It is that popular. It is that common sense. I think we
simply need a markup. We can work out some of these issues
around the edges, and the American people can get the privacy
protections that they want and they need. Thank you.
Mr. Conyers. Thank you. And also in your testimony you
mention that the bill faces a concerted assault from civil
agencies that seek to use statutory changes as a tool to gain
new powers. Some argue the powers are already on the books. Why
do you refer to the SEC's proposal as a request for new powers?
Mr. Calabrese. I think that if you don't use an authority
for 5 years and there is a questionable legal standard about
whether you can use it at all, it's new authority. That's
simply put. It simply can't be that you have this existing
authority and you say it's incredibly valuable but you've held
off on using it for 5 years. Either what you're doing in your
investigations aren't important, which we all know is not true,
or you don't think you have this authority, and to me, there
are really no other options, and I think that this is new
authority.
Mr. Conyers. Thank you.
Mr. Rosenzweig, the government often conducts parallel
criminal and civil investigations to the same target. What
would be the practical consequences if we adopted a warrant
standard for email in criminal investigations and some lesser
standard for those in civil investigations?
Mr. Rosenzweig. There'd be the risk that the exception
would swallow the rule. I spent much of my early career
prosecuting environmental criminal cases, a regulatory area
where the civil regulatory authorities had civil and
administrative powers for securing evidence. There was a set of
procedures, parallel proceedings procedures, that were internal
to the executive branch that governed the circumstances under
which those civilly collected evidence could be transferred to
the criminal prosecution side for use in a criminal case. Those
rules were simply rules of grace at the discretion of the
executive branch. They were not statutorily mandated and they
were not expressed in any constitutional limit.
There would be at least some risk that in an effort to
evade the warrant requirement that was created by reform of
ECPA, criminal authorities would solicit the securing of that
evidence through civil process under a lesser standard. I do
not mean to ascribe ill motivation to anybody in any part of
this process. But, nonetheless, the interstitial pressures are
very real.
Mr. Conyers. Let me squeeze in one final question here. The
Sixth Circuit in Warshak held that, to the extent that the
Stored Communications Act permits the use of subpoenas to
compel the production of email, the statute is
unconstitutional. Given that holding, is the mechanism proposed
by the SEC also unconstitutional? Anybody want to try that in
addition to you?
Mr. Rosenzweig. I think it likely is. It hasn't been tested
in court. There is a history of restricting civil authorities
for constitutionally protected material. There's also, frankly,
some law that points to things called administrative searches
that might be seen as a validation of the SEC's position. If I
were to judge it, I would probably say--come down against it,
but nobody makes a lot of money predicting the Supreme Court.
Mr. Conyers. Could it withstand the Fourth Amendment
challenge in the courts, do you think?
Mr. Rosenzweig. I would say no.
Mr. Conyers. All right. Thank you so much.
Thank you, Mr. Chairman.
Mr. Goodlatte. Thank you, Mr. Conyers.
The Chair now recognizes the gentleman from Wisconsin, Mr.
Sensenbrenner, for 5 minutes.
Mr. Sensenbrenner. Thank you, Mr. Chairman.
In the Warshak case in 2010, the Sixth Circuit ruled the
content of America's emails is protected by the Fourth
Amendment. I agree with that holding. Since that decision, the
SEC has been unable to subpoena email content from service
providers.
Now, Mr. Ceresney, I've read your testimony and listened to
it. Did you write it in 2009?
Mr. Ceresney. No. I wrote it----
Mr. Sensenbrenner. Okay, well, thank you very much.
Now, if the SEC cannot currently subpoena email content
from service providers, is it truthful to testify that if H.R.
699 becomes law the SEC will be denied the ability to obtain
evidence?
Mr. Ceresney. I don't agree that we're not able to do it
currently. We have refrained from doing it in deference to
Congress' ongoing discussions about it.
Mr. Sensenbrenner. Okay. Well, I guess you kind of ignored
the Warshak decision on that.
Now, even under ECPA as it was written almost 30 years ago,
the SEC could only subpoena email content after it was older
than 180 days. Aren't you asking this Committee to expand a
legal authority that was found unconstitutional in a more
limited form?
Mr. Ceresney. We are not. I think----
Mr. Sensenbrenner. Well, then, why aren't you? Because you
would like to be able to issue subpoenas on email content
that's less than 180 days old.
Mr. Ceresney. We would defer. If Congress decided that----
Mr. Sensenbrenner. No. No. No. No. No. No. No. You know,
the thing is, is that I think the court has decided and you're
not happy with the court decision. What your testimony says is
that you'd like to expand something that's already been held
unconstitutional.
Mr. Ceresney. I disagree. Warshak was----
Mr. Sensenbrenner. Well, I disagree with you.
Now, let me ask the whole panel, just to ask yes or no. If
Congress gives civil agencies the authority to subpoena email
content to service providers, would that law be constitutional?
I think Mr. Ceresney has already said yes.
Mr. Ceresney. Yes.
Mr. Sensenbrenner. Can I get a yes-or-no answer from the
other five panelists?
Mr. Cook. I'd love an opportunity to explain the----
Mr. Sensenbrenner. No. I'm limited on time.
Mr. Cook. I understand, sir.
Mr. Sensenbrenner. Yes or no please.
Mr. Cook. My answer is yes, it would be constitutional.
Mr. Sensenbrenner. Mr. Littlehale?
Mr. Littlehale. Yes, it would be.
Mr. Sensenbrenner. Mr. Calabrese?
Mr. Calabrese. I believe no, it would not be.
Mr. Sensenbrenner. Mr. Salgado?
Mr. Salgado. I believe no, it would not be.
Mr. Sensenbrenner. Okay. Mr. Rosenzweig?
Mr. Rosenzweig. No. That's what Warshak said.
Mr. Sensenbrenner. Uh-huh.
Now, I think we've heard from Mr. Ceresney. Messrs. Cook
and Littlehale, since you believe the law would be
constitutional, how do you square that position with the Sixth
Circuit court's holding in Warshak?
Mr. Cook. Well, I think the critical distinction is the one
that the SEC has already drawn, and that is that the subpoena
at issue there was a grand jury subpoena, one issued with no
notice to anybody. The Fourth Amendment to the United States
Constitution, as we all know, has never imposed a warrant
requirement without any exceptions or without any other way to
meet the reasonableness clause.
Mr. Sensenbrenner. Okay. Mr. Littlehale?
Mr. Littlehale. Congressman, I believe that the due process
provided by the SEC proposal offers a significant amount of
protection, the same sort of protection contemplated by the
Fourth Amendment, and I believe that the courts would view that
as sufficient protection.
Mr. Sensenbrenner. Well, you know, the issue is, is that a
subpoena--there can't be a motion to quash a subpoena until
it's served. So even if there's an immediate motion to quash a
subpoena, isn't there the risk of a constitutional violation
here?
Mr. Ceresney. Congressman, there isn't. That's because our
subpoenas are not self-executing. If we want to enforce our
subpoena, we need to go to a court and compel production.
Mr. Sensenbrenner. Okay. Well, except that Warshak seems to
indicate the opposite. Well, you know, the thing is, is that
here we're having to balance the fact that apparently the
position of law enforcement is that they want to expand what is
currently the law. And the position of those who are privacy
advocates say the law is the law and codify it.
I think this is a slam dunk for Congress to make a
determination, because we already have something that everybody
seems to think is okay, you know, except a few people that
would like to expand the dragnet.
With that, I'll yield back.
Mr. Goodlatte. The Chair thanks the gentleman and
recognizes the gentlewoman from California, Ms. Lofgren, for 5
minutes.
Ms. Lofgren. Thank you, Mr. Chairman. And I'm glad that
we're having this hearing today. As had been mentioned at the
beginning of the hearing, over 300 Members of Congress are
sponsoring the legislation. So it hasn't been a close call for
most of us.
There is a competing--not a competing bill, a bill that
encompasses the provisions in this bill, but also goes to
geolocation. And I'm wondering, Mr. Cook, the DOJ recently
enacted a policy requiring a warrant before deploying a cell
site simulator, like a Stingray, to locate a suspect using
their cell phone. Does your association support that policy?
Mr. Cook. The answer to that, of course, is yes. The use of
a Stingray or Triggerfish, cell site simulator, under certain
circumstances would trigger Fourth Amendment protections. That
is to say that either a warrant or one of the exceptions. And
there are many occasions when law enforcement uses a Stingray
and it does so under the emergency aid or exigent circumstances
exception.
Ms. Lofgren. If you support this absent the exigent
circumstance exception, which we're not arguing against, would
you consider that a warrant for any means of obtaining real-
time geolocation information should also be favorably supported
by your group?
Mr. Cook. I'm not sure I understand.
Ms. Lofgren. For example, you don't need a Stingray to
actually identify where a person is with a cell phone. But the
identification issue is the same. So wouldn't that logic extend
to that?
Mr. Cook. Well, when law enforcement seeks prospective
tracking of a suspect, as was the case in Jones, an ongoing
tracking, then the Fourth Amendment is implicated. And I think
Jones resolved that for us.
Ms. Lofgren. I think it did as well. Shouldn't that same
logic apply also to historical location information?
Mr. Cook. That's a great question. And of course, as I can
tell from your questioning, you're fully familiar with the
court struggling with that issue, the fourth and the fifth
circuit and other courts divided on that. And so part of the
division I think is driven by an understanding of the
technology. The technology with respect to some location
information is that it's just not as specific as GPS tracking.
And with respect to that, the courts have recognized that
there's----
Ms. Lofgren. If I can, I don't want to run out of time.
Assuming that the technology issues are resolved, and it's not
the U.S. Attorneys Association's job to do that, logically
shouldn't the Fourth Amendment apply to historical records as
well as prospective records?
Mr. Cook. The other longstanding doctrine, of course, that
touches on that is the one that the courts have pointed to, and
that is the Smith and Miller third-party records doctrine.
Ms. Lofgren. Right, which has also been not favorably
received recently by the Congress.
Let me turn to you, Mr. Salgado, because we have approached
this whole issue from the point of the Fourth Amendment and the
Constitution and the right to privacy and the like. But it also
has an impact on American business. The most important
technology companies in the world are located in the United
States. I would like, can you comment on the impact, if any, on
American business for a perception in other countries that
privacy is not secure if you use an American product?
Mr. Salgado. Thank you, yes. I certainly can easily burn up
the rest of your time with an answer to that question. It is a
significant impact on American industry that there's a
perception outside of the United States--Europe, it's no
secret, certainly holds this perception--that data held by U.S.
companies is somehow there for the taking for U.S. Government.
This bill, the Email Privacy Act, is a good step toward
getting rid of that misperception, making sure our statutes
reflect the true protections that the Fourth Amendment offers.
Ms. Lofgren. Now, if I can, and you may not have the answer
to this, but certainly this is not an issue just for Google,
but for Facebook and all the ISPs, and Microsoft has a big case
in Ireland right now, and the like. Has anybody added up the
dollars at risk to the U.S. economy on this privacy issue?
Mr. Salgado. You know, that may have been done. I'd need to
get back to you with that, it's not on the tip of my tongue, to
be able to answer.
Ms. Lofgren. Okay. That's fair enough. I would like to just
mention that the Chief Justice's conclusion in Riley versus
California is, ``Our answer to the question of what police must
do before searching a cell phone seized incident to arrest is
accordingly simple, get a warrant.''
How does that decision apply to the legislation that we're
considering today, in your judgment?
Mr. Salgado. I think it illustrates the point that the
Supreme Court wants us to have bright rules so that the law
enforcement officer in the field knows what to do. And when
we're talking about the Fourth Amendment and our right to
privacy, we're not messing around with gray areas, that we
recognize the significance of this right to Americans, we
recognize the significance of the privacy interest, we have
clear rules, and the rules should be to default to a warrant.
Ms. Lofgren. Thank you very much. My time has expired, Mr.
Chairman.
Mr. Collins [presiding]. The gentlelady's time has expired.
The Chair now recognizes the gentleman from Iowa, Mr. King.
Mr. King. Thank you, Mr. Chairman.
I thank the witnesses for your testimony.
First, it was mentioned that there's a general agreement
among the panel, I believe, and others, that except for a few
people who would like to expand the dragnet. I would ask Mr.
Cook and Mr. Littlehale, is there anything in this bill that
expands the dragnet?
Mr. Cook?
Mr. Cook. Well, I'm troubled by the characterization.
Mr. King. Well, let me define dragnet so that you don't
have to. And that would be is there anything in this bill that
expands your ability to do investigations that maybe makes
innocent citizens more vulnerable?
Mr. Cook. No, sir. I think that the bill is narrow, in
fact, expansively limits in a couple of unprecedented ways law
enforcement's ability to do their job.
Mr. King. That's my understanding of it as well. Mr.
Littlehale?
Mr. Littlehale. Yes, Congressman, I share that concern.
Mr. King. And you would share the characterization with Mr.
Cook as well?
Mr. Littlehale. I believe that the bill imposes additional
limitations on traditional search warrant practice. And even if
the standard of proof governing an additional category of
records as contemplated in the bill is given, we will have less
authority with respect to those records than we would with
records in the physical world, yes.
Mr. King. I thank both gentlemen. I turn to Mr. Salgado. In
thinking about this from a Google perspective, when I or a
citizen sign up for an email account, there's a long agreement
that's there that I have to confess I have not studied that or
have my attorney look that over, but I say, okay I agree. And I
sign up for my email. And I'm glad to have the service. And it
works really good. Am I in that waiving some protection to
privacy in that agreement?
Mr. Salgado. Well, not with regard to what we're talking
about here. The agreements certainly talk about how we use the
information and where we might be needing to disclose it in
order to provide the service. So it's meant to describe to you,
and those who are interested in knowing these things, what's
happening. But with regard to this bill and the Fourth
Amendment, we will honor search warrants that are served on us
in valid legal process.
Mr. King. Will you honor subpoenas?
Mr. Salgado. We honor subpoenas but not for content. So we
will honor subpoenas for what the statute says we honor
subpoenas for. And it's our preference to let users know when
we get these requests, unless we are informed by gag order, for
example, that we're not able to. So we will honor all of those
rules that Congress has set in place and that the Fourth
Amendment has established. We also will honor requests to
preserve information while law enforcement goes through the
effort of getting a search warrant which may take a period of
time.
Mr. King. Are you aware of any ISPs that have a different
policy than you're describing here with Google's?
Mr. Salgado. There may be slight differences in how the
product works or the policies are slightly different. But, no,
generally I think the sort of pattern I'm describing is one
that certainly the larger companies here operate under.
Mr. King. Then practice is pretty close to the mirror of
the act we're discussing, the legislation we're discussing?
Mr. Salgado. Yes, sir. I think that's right. I'm not aware
of providers who are producing content on anything less than a
search warrant at this point.
Mr. King. So I would burn more time on that but I
appreciate your response. And I would like to turn to Mr.
Rosenzweig because I believe that you gave the clearest
definition of modern electronics versus the postal service from
that constitutional--the Founders' era. This is still the
constitutional era. And I would put it this way, ISP equals
post office, emails equal your filing cabinet. Is that an
accurate description of yours?
Mr. Rosenzweig. ISPs equal the post office, yes. That would
be my summary or stored email equals letters in my file, right.
Mr. King. Okay. Yes. Stored emails. And could I have the
right to, if I had an ISP provider that said we want to waive,
will you waive your authority, will I waive my constitutional
protections and hand that data over to an ISP provider, I could
do that willingly, couldn't I, under the constitution and
current law?
Mr. Rosenzweig. Oh, you could consent to anything. Provided
your consent is voluntary and not coerced, you could. You
don't, if the police come to your door and say can I get the
letters in your file cabinet, you don't have to require a
warrant. You could say sure, come on in.
Mr. King. You're familiar with California v. Greenwood?
Mr. Rosenzweig. Yes.
Mr. King. And so the distinction here between Warshak and
California v. Greenwood, which is essentially if you take your
garbage out to the curb, it's not protected by any Fourth
Amendment right. If I delete my emails, and they're within the
custody of an ISP, and I've waived my right to privacy, that
would be open access then to the investigators?
Mr. Rosenzweig. I would say no. But I would have to think
about that. My sense is that when I delete the email, I'm
intending not to throw it to the curb as garbage, but rather to
eradicate its existence altogether. If I'm aware of the fact
that a copy is kept, maybe. But I don't think I'm aware.
Mr. King. So it's actually, we're getting where we need to
go with this panel, I think is the distinction between
Greenwood and Warshak on what those emails consist of, are they
garbage or aren't they, are they access to an investigator by
subpoena or by a warrant or aren't they. So I appreciate the
panel. This has been clarifying testimony today. And I thank
the Chairman. And I yield back the balance of my time.
Mr. Collins. At this time, the gentlelady from Washington
State, Ms. DelBene, is recognized.
Ms. DelBene. Thank you, Mr. Chair. And I just want to thank
the Chair for holding this hearing and to all of you for taking
the time to be here with us today. Mr. Ceresney, do you dispute
the continued availability of preservation orders and court
interference to enforce administrative subpoenas of targets of
SEC investigations should the Email Privacy Act pass?
Mr. Ceresney. So if the question is whether preservation
requirements should be contained in the statute and the ability
to obtain from the subscriber, should that also be required.
Ms. DelBene. Do you think if the Email Privacy Act passes,
do you think that you're going to continue to have the
availability of preservation orders and court interference to
enforce administrative subpoenas?
Mr. Ceresney. I believe that that is still something that
one could obtain under the proposed statute. But what that
wouldn't allow us to do is to then obtain those emails from
ISPs when the individual doesn't provide them to us.
Ms. DelBene. So you've argued in your testimony that one
problem with the Email Privacy Act would be that it leads
targets of investigations to delete emails, thereby destroying
evidence. So are you telling this Committee that the Email
Privacy Act would be to blame if you don't take the commonsense
step of issuing a preservation order on an ISP from day one of
an investigation. Is there any reason whatsoever that you
wouldn't take that step, that very simple step, which can be
done directly by the SEC without a judge's involvement?
Mr. Ceresney. We would certainly take that step. The
problem is the preservation doesn't then allow us to then
obtain the email from the ISP. So certainly we would do that,
we would try to preserve the email and make sure that it's
available. But then the next step, that is obtaining it from
the ISP, that would not be available to us.
Ms. DelBene. So your comment that this would lead people to
delete emails doesn't really hold water. If you have a
preservation order, the information is going to be saved there.
Mr. Ceresney. But if the person deleted the email and then
we subpoenaed the person, they wouldn't have it. The only
person, the only entity that would have possession, custody,
and control of the email would be the ISP and we wouldn't have
an avenue----
Ms. DelBene. If you have a preservation order, then the ISP
is going to preserve that information.
Mr. Ceresney. Yes. But if they preserve it and we can't
obtain it----
Ms. DelBene. I don't know about you, but I use email to
keep in touch with my family, my husband, my friends back home
in Washington State, all across the country. And I'm sure
pretty much everyone in this room and this building would tell
a similar story. As email has gone mobile, it's virtually
indistinguishable from a phone call or a text message and, no
doubt, contains very important details of people's personal
lives and stored in the cloud by companies like Mr. Salgado's,
and we would all hope to be kept safe from intruders or prying
eyes.
I find it highly disturbing in your testimony today that
seems to suggest that the SEC views email service providers
more like a witness or an informant that you would be able to
tap directly for information as opposed to the digital home of
intimate communications. So let me ask you this: If the SEC
wants a box of documents sitting in a target's home, can you
use an administrative subpoena to bring a locksmith to their
home to open the door, walk in, and take documents?
Mr. Ceresney. We cannot. What we----
Ms. DelBene. Then please explain to us why you think we
should give you the ability to do exactly that with a digital
equivalent. How that could possibly comport with simple
expectations of privacy and due process and without a shred of
meaningful evidence from you so far or anyone else that the
lack of this authority will have any impact on your ability to
carry out investigations whatsoever?
Mr. Ceresney. We view the ISP as a third-party storage
provider, much like an Iron Mountain provider would be for hard
copy documents that are kept in a storage facility. And if in
the circumstance where hard copy documents are kept in a
storage facility, we could go to that storage facility with
notice to the person who uses that storage facility and try to
obtain those documents via subpoena. And that I think is the
analogy that we would draw that would be appropriate in these
circumstances.
And from our perspective, we do have instances in the past
when we did issue ISP subpoenas where we could show that we
obtained significant evidence in investigations for that
purpose. As to the last number of years when we haven't used
it, we don't know what we have lost. But it's certainly our
investigations----
Ms. DelBene. I want to get your view, Mr. Calabrese, on
this in terms of the role of that third-party provider being
the home of people's personal communications.
Mr. Calabrese. Well, it's clearly our digital home. I mean,
you would find much more sensitive information about me in the
cloud than you honestly would in my house at this point. If you
wanted physical documents, they are much more sensitive in my
house. The thing I would also like to point out that we haven't
really touched upon here is that the standard for accessing
information in the civil context is very low. It's mere
relevance. It's not a high standard of probable cause. Also the
number of things that a predicate--a civil agency has, sort of
simply mis-filling out your taxes, for example, are much
greater than the criminal predicates for a warrant. So we're
talking about a much lower standard, much greater number of
ways that we can access information. That means that we're
potentially opening up the cloud to much greater invasion by
civil agencies even than we would by criminal agencies. And I
think that's exactly backwards.
Ms. DelBene. And, Mr. Ceresney, if you give me just a
couple more seconds, Mr. Chair, you talked about cases. Can you
give me the specific names of those cases?
Mr. Ceresney. We have a number of cases. And we would be
happy to provide it to your staff. It includes an accounting
fraud case where an email indicated that somebody was using
earnings management, an insider trading case where an email
contained a tip, a microcap fraud case where the emails showed
control of corporation. And just one last thing to answer Mr.
Calabrese's point, we would be fine if Congress established a
probable cause standard as the standard that we would have to
meet. Whatever standard Congress would like to establish for us
to have to meet, we are fine meeting that standard. What we
need is some mechanism in instances where an individual does
not produce to us email, and has deleted it, or otherwise
destroyed it----
Ms. DelBene. And I think we've already discussed that right
now. Post-Warshak, you have never used that authority. So my
time has expired. And I just want to yield back.
Mr. Collins. The gentlelady's time has expired. At this
time, the gentleman from Texas, Mr. Gohmert, is recognized.
Mr. Gohmert. Thank you, Mr. Chairman. Thank you to the
witnesses for being here. For anyone that can answer, if
someone deletes an email that he or she has already sent out,
would the ISP be able to retrieve that at some point?
Mr. Salgado. I would be happy to try to answer that. It may
vary from company to company. In most cases, I think it's fair
to say that there would be some short period of time between
the point of deletion and when the system purges the content
that has been deleted. So there would be some period of time.
That time period may vary from provider to provider.
Mr. Gohmert. Couldn't it be retrieved from the person to
whom it was sent?
Mr. Salgado. It certainly could. So there may be many
communicants involved in it.
Mr. Gohmert. Right. The issue there, and I'm not one of the
co-sponsors at this time, even though I am one of the persons
proudest of the work that Kevin Yoder has done in getting this
bill to this point. I think it's fabulous. I think it's
important. My concern has been, is that we have left a
provision at page 10, for example, that allows the governmental
entity to apply for a court order so that they can still not
inform the individual. And that's fine to my mind if there's a
question of endangering the life or physical safety of an
individual, like a child that was talked about, flight from
prosecution. As a former judge, I've signed all kinds of felony
warrants. But I made sure that there was probable cause. And I
made sure there was particularity in the description in the
affidavit, as well as in my warrant.
And I felt very comfortable in 2005 and 2006 when the Bush
administration was ensuring us we would never use the national
security letters for anything unless there was someone who
actually had contact with an international terrorist or
terrorist organization, those type of things. And then we find
out in I think in July of 2007, the IG said there were
potentially thousands of abuses where there was basically no
case, they just sent them out. And I'm surprised to hear this
from me, but in the New York Times, there's a good article by
Carla Monyhan talking about Nicholas Merrill, how he fought to
disclose the contents of the NSL. And then we also, with the
disclosures of Snowden, yes, he committed an act of treason,
but he also exposed lies by the last Administration and this
Administration.
When I saw the order, the affidavit and order regarding
Verizon's disclosures of all of their metadata, I realized we
were lied to by both Administrations about what was being
sought. We were told that, look, you don't have to worry,
there's a FISA court, a confirmed judicial nominee that's a
Federal judge, they'll protect the Constitution. There was no
particularity at all, just give us everything on everybody you
got. And the judge just signed, oh, okay, you want everything?
Here's everything. I couldn't believe it.
And so I'm not as comfortable with providing the exception
that I'm sure was demanded by governmental entities. And I'm
wondering if an excuse of destruction of, or tampering with
evidence or intimidation of potential witnesses, enough to get
an order saying we can avoid informing whoever sent the email
or whoever should have possession of the email, we don't have
to inform them if we're concerned they might delete the emails.
Really? Well, that would always be a concern. So you could
always, always, always get some judge somewhere that would sign
off on that order. I know that now after seeing the disclosures
by Snowden. So I'm not comfortable that this is really going to
be that helpful because of that massive gaping hole.
On page 11, it says that basically the provider would have
the burden of notifying the government at the end of the
exclusionary notice time. The provider has the burden of
notifying the government. The government, okay, my time is
about up, so I'm going to notify the subject of the warrant, so
that the government can get, there should be no burden on the
provider to do that. If the government wants to keep that
secret, the government should try to extend it. But I'm not
sure that it wouldn't be extended automatically in virtually
every case.
Mr. Rosenzweig, you say that we should not--we've always
protected a man's documents and we shouldn't change that
because it's in a cloud. I would agree. But the ISPs require we
check a box that says these documents aren't yours anymore,
they're mine. And I'm wondering if maybe we should have some
legislation that tells ISPs, you know what, these documents,
they really are the property of the person that created them,
not the one who holds or provided the safe to put them in.
Mr. Collins. The gentleman's time has expired. But the
witness may answer.
Mr. Gohmert. Anybody care to respond?
Mr. Rosenzweig. I share, I would respond by saying I share
your concern about the delayed notification provisions,
especially the destruction of evidence portion of it. I think
that other portions, you know, a risk of physical injury and
harm, those are very good. I would point out that 2705 was
added in the immediate aftermath of 9/11 as a codification of a
longstanding common law that had developed in the courts of
appeals that had adopted these various rules for when they
would delay notification.
So to some degree, you're arguing with something that
preexisted 9/11, preexisted ECPA, preexisted--and destruction
of evidence has traditionally been one of those possibilities.
That may be something that should change. As for control of
one's own personal data in the cloud, I think that there are
many service providers who offer different degrees of control
over your information. And so I generally tend to be
comfortable with the idea that there's competition in the
marketplace and that if that's something that matters to you,
there are service providers who will promise that they take no
interest and will not process, will not examine your data. They
may be more costly in other ways than service providers who
provide you. So I'm kind of a free-marketist on that one.
Mr. Gohmert. Okay. Thank you very much.
Mr. Collins. The gentleman's time has expired. The Chair
now recognizes the gentleman, Mr. Cicilline.
Mr. Cicilline. Thank you, Mr. Chairman. And thank you to
our witnesses for sharing your expertise and your diverse
perspectives with us today. I believe that all of us assembled
here, both those of us on the Committee and our assembled panel
of witnesses, recognize that technology often evolves much
faster than the law. This, in part, is a testament to the rapid
pace of American innovation. But it also presents a gap that
must be addressed. And the Email Privacy Act represents an
important step forward to closing this gap and preserving
privacy protections for Americans. And it's no surprise to me
that it's broadly supported by the American people.
I want to begin with you, Mr. Ceresney. In your written
testimony, you state if the bill becomes law without
modification, the SEC and other civil law enforcement agencies
would be denied the ability to obtain critical evidence from
ISPs. This phrasing suggests to me that you are engaged in some
activity today that would be blocked by this legislation.
And so, my first question is, does the SEC currently use
subpoenas to obtain the content of communications from Internet
service providers?
Mr. Ceresney. We do not where we don't have consent of the
providers.
Mr. Cicilline. And why not?
Mr. Ceresney. As I've said earlier, it's because in an
excess of caution and in deference to the discussions that have
been ongoing in Congress for a number of years about ECPA
reform, we determined to hold off on using that. But it does
not mean we do not believe we have the authority under the
statute and that it is constitutional to use it.
Mr. Cicilline. But you do not currently use it?
Mr. Ceresney. We do not without consent of the subscribers.
Mr. Cicilline. Your written testimony also acknowledges
that the SEC ``often conducts investigations in parallel with
criminal authorities.'' If the FBI needs a warrant to obtain my
email, but the SEC can obtain my email with something less than
probable cause, what prevents the SEC from helping the
government to avoid a warrant requirement by sharing my email
contents with the FBI?
Mr. Ceresney. So the first point is whatever standard
Congress establishes we're willing to abide by, even if it's
probably cause. But, second, when we issue subpoenas----
Mr. Cicilline. Let me just, so if the standard is probable
cause, then your objection is not with the standard, but who
makes the determination of probable cause? Because a probable
cause finding with a judicial determination is a warrant.
Mr. Ceresney. No, what we're seeking is authority to
achieve a court order with notice to the subscriber, which
provides additional protections to a warrant. A warrant is ex
parte, and the subscriber doesn't have an ability to object.
What we're seeking is an authority to obtain an order from a
court with notice to the subscriber. And the subscriber would
have the ability to object and provide whatever objections they
have, whether they be relevance, whether they be privilege,
whatever other objections. That provides additional protections
beyond those with the warrant, which is ex parte.
But to answer your question about the criminal authorities,
any subpoena or other orders we'd seek would be in advance of
our investigation. They would not be at the behest of criminal
authorities. We do not issue subpoenas or otherwise seek
evidence at the behest of the criminal authorities. We do it to
advance our own investigation.
Mr. Cicilline. Mr. Calabrese, did you want to try that?
Mr. Calabrese. Yeah, I mean, I think the question that we
haven't heard an answer to yet is probable cause of what.
Probable cause of a crime in the criminal context is very
clear. We know what crimes are. And they're interpreted very
tightly. Violations of civil law are much broader. I mean, if I
fill out my tax form incorrectly or I state that this was a
business expense when maybe it was a vacation, you can say oh,
I have probable cause to believe that by going through my
emails, I'm going to find that he was on vacation, not on a
business trip. So what we really are talking about, no matter
what the standard is, it's a much broader access to Americans'
content of their communications.
Mr. Cicilline. And with respect to that, current law
provides that the government must show probable cause to obtain
the content in an email that has been stored by a provider for
180 days, but can use a lesser process for an email that has
been stored for 181 days. Is there consensus that this 180-day
rule is inconsistent with how we use emails today? Should it be
eliminated? And in addition to that, Mr. Calabrese, in your
written testimony you give a good list of the digital content
we all store online, emails, text messages, photographs, music,
passwords, calendars, and other forms of social networking.
Do these forms of media merit protection under the Fourth
Amendment? And is current law adequate to protect any privacy
interests in this information?
Mr. Calabrese. Well, I certainly think that the court in
Warshak believed that the Fourth Amendment should extend to all
these types of contents of communication. My worry is that we
don't know what the next new technology is going to look like.
We don't know what the next way that we're going to keep our
communications private and confidential is. And so we shouldn't
be waiting. And ECPA doesn't have a suppression remedy. So
these actual determinations don't come up that often. We
shouldn't be waiting for 5 or 10 or 15 years for a court to
find a strange case that allows them to say we have a
reasonable expectation of privacy in communications. We all
seem to agree that the content of communications should be
protected by the warrant unless Congress says otherwise.
Mr. Cicilline. Thank you. I yield back.
Mr. Collins. The gentleman's time has expired. The Chair
recognizes the gentleman from Texas, Mr. Poe.
Mr. Poe. I thank the Chairman. I thank all of you all for
being here. As my friend Mr. Gohmert was, I used to be a
criminal court judge in Texas for 22 years, felony cases,
20,000 cases or more. All that time, constantly I had law
enforcement officers come to me with a request for me to sign a
search warrant based upon their affidavits. And I signed a lot.
And some I did not sign because of the basics of the Fourth
Amendment.
The Fourth Amendment makes us different than every other
country on Earth because of our history. It's uniquely United
States history, goes back to the British who wanted general
warrants to kick in doors of warehouses in Boston to see if the
American colonists were storing demon rum they hadn't paid
taxes on yet. To me, a general warrant is the same as a court
order. So we have specific warrants. And like I said, I signed
a lot of them.
It makes no sense to me that the right of privacy is
protected for 6 months but it's not protected more than 6
months. I send a letter, snail mail. And I put that in an
envelope. And I send it off to one of my grandkids somewhere.
It floats around in America from post office to post office and
who else knows where until it gets to grandson. It's protected.
Generally it's protected. It's a form of communication.
When we use emails or store in the cloud, it's a form of
communication wherever the cloud may be. So I think it's
Congress' responsibility to determine what the expectation of
privacy is. It's not, God bless them, Federal judges'
responsibility. It's Congress' responsibility to say this is an
expectation of privacy for Americans. And when we enter the
digital age, I don't buy the argument, well, we're in the
digital age, you got to give up some of your constitutional
rights so we can have government investigate things.
Whether it's civil investigation, whether it's criminal
investigation, I don't buy it. Because the Fourth Amendment
gets in the way of that. I think it is one of the most
important rights that we have. So it's our duty to set up a
standard. Over 300 Members have signed on to Mr. Yoder's bill.
It hasn't come up for a vote. Ms. Lofgren and I filed a similar
bill in 2013. We want to get a vote on, I want to get a vote on
Mr. Yoder's bill. Three hundred and four Members of Congress
agreeing on something? Really? And I think most Members,
Republicans and Democrats, see the importance of the privacy.
Mr. Calabrese, let me start with you. I have a lot of
questions. And I know I have only 5 minutes. The Warshak case,
the SEC lost the Warshak case. They did not appeal that, did
they?
Mr. Calabrese. No, the case was not appealed.
Mr. Poe. It was not appealed. The SEC, the way I get it,
the SEC wants a carve-out for civil investigations. The way I
see this legislation, it's to protect us from the SEC and the
IRS and the EPA. Because without this legislation, they could
keep doing what they're doing. Would you like to comment on
that, weigh in on that? Civil agencies snooping around in
email. And I'm using the word snoop, that's my word.
Mr. Calabrese. We've already seen agency overreach. We saw
it in this Tea Party investigation. There was no question there
was improper investigation that was searching for a much
broader category of information about people than anyone I
think here is comfortable with. The idea of looking at what
people are reading, looking at their donor lists as part of a
civil investigation into someone's tax status is wrong. And it
disturbs me that if someone can have a high--a relevant
standard that is so low that we might bring those kind of
investigations into play, I think that's a problem. And I think
that that's why we need to limit this very powerful authority
to warrants that are supervised by judges under probable cause.
Mr. Ceresney. Judge, may I respond?
Mr. Poe. Not yet. You can respond in writing because I have
the same question for all six of you. The basis of a search
warrant also requires there be notice. Under the current law,
let's use the SEC or let's use the IRS, I like to use them
better, they can do their investigation, their snooping, and
the person being investigated doesn't know about it. Is that
correct, Mr. Calabrese?
Mr. Calabrese. It depends on the circumstances. Sometimes
notice is delayed.
Mr. Poe. Notice is delayed.
Mr. Calabrese. Sometimes notice is delayed. Sometimes they
do know about it.
Mr. Poe. But would you agree that it's part of our
fundamental fairness under the Fourth Amendment that there is a
search warrant, the search warrant is executed, and that there
is a return to the judge of what was seized or not seized, and,
eventually, whoever's house was searched or property was
searched, they get notice of the results of the search warrant?
Mr. Calabrese. This is one of the most----
Mr. Collins. The gentleman's time has expired. But the
witness can answer.
Mr. Calabrese. This is one of the most invasive things that
the U.S. Government or any government can do to its citizens,
it can investigate them, make them the subject of law
enforcement scrutiny. So, yes, absent some compelling reason
not to notify them, I think they absolutely deserve to know
that they are the subject of government scrutiny.
Mr. Poe. I ask unanimous consent to submit questions for
the record, Mr. Chairman.
Mr. Collins. You have unanimous consent to submit as many
as you like, Judge.
Mr. Poe. And we should get the southern rule. If we're from
the south, we should be able to talk longer than just 5
minutes.
Mr. Collins. Well, we just are better expressing ourselves
in our eloquence and slow southern execution.
Mr. Poe. Thank you, Mr. Chairman.
Mr. Collins. With that, the Chair recognizes the gentlelady
from Texas, Ms. Sheila Jackson Lee.
Ms. Jackson Lee. I thank you so very much, Mr. Chairman.
And I thank the witnesses. I want to engage in a give and take
with Mr. Calabrese, Mr. Salgado, and Mr. Rosenzweig if I might.
But let me just ask a pointed question to Mr. Cook. Let me
thank all of you for your service. And acknowledge that the
Warshak case, Mr. Ceresney, I will not attribute your win or
loss, I will just take the case as a Sixth Circuit case.
I just want to ask, since that case, the Warshak case, Mr.
Cook, do you know whether or not the Department of Justice has
used anything less than a warrant based on probable cause to
compel a third-party provider to produce the contents of a
communications? You all adhere to that?
Mr. Cook. Yes.
Ms. Jackson Lee. All right. That's good. Let me move on
then.
Mr. Cook. That was easy. Thank you.
Ms. Jackson Lee. Thank you. To say that I come to this with
a sense of trust of government not to sense that government is
unworthy and consistently trying to undermine its citizens. But
I am an adherent to the Fourth Amendment and its value and its
value with the Founding Fathers. So let me engage the three of
you. One, I'm going to go to you, Mr. Rosenzweig, to make it
clear that issues dealing with terrorism and any elements
thereof are specifically, pointedly, and appropriately excluded
under this legislation. Are you comfortable with that?
Mr. Rosenzweig. Very much so. Indeed, that's part of the
ground for at least my personal view that this legislation is
appropriate. Given the post-9/11 changes that have empowered
our national security apparatus to protect us in ways that I
think are appropriate, it's important to exclude from the
coverage of this bill those issues. And I think that's
something we can agree on. And the construction provision that
is in section 6, I guess it is, of the bill is perfectly
appropriate to that end.
Ms. Jackson Lee. I think it is important to make note of
that. I'm on Homeland Security as well. America is obviously on
alert. But we've always said since 9/11 that we would not allow
fear to instruct and guide our interpretation of the
Constitution. I want to go to Mr. Salgado.
Mr. Calabrese, there was a law professor at Yale Law School
with the same name. Do you have any----
Mr. Calabrese. Sadly, I don't.
Ms. Jackson Lee. I had his class. So you'll be favored by
your very name. But let me engage both of you in the question
of the value and the sanctity of the Fourth Amendment and
whether or not in this interpretation of this bill, which I
understand so many of us are on the bill, but 100,000 petitions
were sent to the White House to support it, whether it is
obstructionist in terms of preventing law enforcement from
doing their job. Can you all just engage? Maybe Mr. Calabrese
will start and Mr. Salgado will finish.
Mr. Calabrese. Sure. I don't believe that it is
obstructionist. You know, we're codifying what amounts to
existing practice and existing protections under the Fourth
Amendment. We're also saying that you should have notice when
someone does a search of your most private electronic home. And
to be clear, unlike a physical warrant where you get that
notice immediately, we're actually delaying notice for 10 days
here so that law enforcement has got a head start.
Ms. Jackson Lee. Absolutely.
Mr. Calabrese. And then we're allowing a gag provision
which says that you, in important circumstances, you'll never
get that notice. I think these are all pretty basic protections
for anyone. And, honestly, if there are issues around the
edges, I'm not sure that there are, but if there are, I think
that's why we have markups, so that we can bring these issues
forward, we can take votes on whether there's anything here
that we should be concerned about, and then we can get this
bill to the floor.
Ms. Jackson Lee. Thank you. Mr. Salgado, let me say that I
too served as a judge and did a lot of PC warrants for police
officers. And I think this should be a comfort. I had a
responsibility to the police officer but also to the citizens,
to be able to inquire what the basis of this warrant was. And
that layer was placed in my hands.
I think the American people place their protection in our
collective hands. What do you think? What is your perspective
on that? And maybe, Mr. Ceresney, you might want to answer that
you are not hindered by the present Sixth Circuit
interpretation. But go ahead, Mr. Salgado.
Mr. Salgado. Yeah, I agree with that completely. The role
of the neutral and detached magistrate in American
jurisprudence is a significant one. It's something that really
sets America apart from a lot of countries, and gives us a
layer of protection to make sure that well-meaning but perhaps
poor judgment in some cases is overridden by the cooler
judgment of a magistrate who doesn't have a particular interest
in a case. It's significant for Fourth Amendment, it's no
accident that that is the standard for valid warrants.
Ms. Jackson Lee. Quickly. Thank you. Mr. Ceresney, do you
want to comment on that as Mr. Yoder sits in the room on pins
and needles wondering how we're going to treat his bill?
Mr. Collins. The gentlelady's time has expired. But the
gentleman can answer.
Ms. Jackson Lee. Thank you, Mr. Chairman.
Mr. Ceresney. I couldn't agree more that it is important to
have a role for a judge in this situation to provide objective
views on the matter. And that's why the order that we are
proposing would be before a judge with notice to the
subscriber. And the subscriber would be able to bring before
that judge whatever objections they have to our seeking the
email.
And that is actually the remedy that we are seeking in this
case. We would try to obtain that email from the subscriber. If
we couldn't, then we would go before a judge and try to obtain
the order. And the judge would be the objective factfinder to
determine whether we've met the standard.
Ms. Jackson Lee. Mr. Chairman, I like this bill. But I'm
willing to listen to the gentlemen. But I like our bill before
us. And I look forward to it going to markup. I yield back.
Mr. Collins. Thank you. The gentlelady's time has expired.
The Chair now recognizes the gentleman from Pennsylvania, Mr.
Marino.
Mr. Marino. Thank you, Chairman. Good afternoon, gentlemen.
My question here is going to be directed to Mr. Rosenzweig and
Mr. Salgado in that order. Please speak to the trends of users
moving to encrypted services, often hosted overseas in order to
seek privacy, and how this might make us less safe than if we
had a clear framework in place. Do you understand my question?
Mr. Rosenzweig. I do understand your question. I think to
begin the answer, obviously, the encryption discussion is
slightly different than the one we're having now about the
lawful access to content. What I would say about the encryption
discussion is that it is essentially a reflection of the exact
same impulse, which is that people are seeing increasingly the
lack of privacy in their personal effects and papers in their--
I like the idea of a digital home, their electronic home. And
to the extent that this Congress does not take steps to protect
that privacy by law, encryption is essentially citizens
engaging in self help and protecting themselves with their own
capabilities.
I would say that, from my perspective, encryption is an
idea. It's a mathematical proof. It's not suppressible. So if
we do not regularize access through things like the proposal
before you that will provide comfort to citizens, they're going
to engage even more, I think, in self help.
Mr. Marino. Thank you. Mr. Salgado?
Mr. Salgado. I agree completely with that statement. And I
think to the point in your question about the movement of users
to services overseas, I think that's a natural consequence of
the misimpression that U.S. Government has such easy access to
the data providers. And it's not true. And this bill will help
make it clear. And it will help prevent the fleeing of users to
other services based on this misperception.
Mr. Marino. Thank you. Mr. Cook and Mr. Littlehale, I have
18 years of law enforcement behind me, prosecution, State and
Federal level. And as far as I'm concerned, what I've seen here
since I've been in Congress, and this is only my third term,
the less Federal Government in my life, the better.
Basically what NSA has done, what the IRS, and there are
many more that we could get into, the overreaching and what I
think is criminality that has taken place in these agencies.
But being a law enforcement guy, and I've prosecuted many child
abuse cases and pornography cases, if the two of you can
quickly tell me what the obstacle is to you and how we can fix
that. Because I know in some investigations that I had, I
didn't want the person who was looking at and transferring and
uploading and downloading child pornography to know at this
point of my investigation that he was the target or she was the
target. Could you please respond?
Mr. Cook. Yes, sir. And I'm concerned that we've lost sight
of that issue and the exigent or emergency aid exception issue,
so if I could just begin with that. The concern that we have is
many of these investigations, whether it's child pornography or
any other type of investigation, many fraud investigations
involve dozens, sometimes hundreds or thousands sometimes in
child pornography cases of targets. For us to get the content
and then have to let the target of the investigation know is a
new discovery requirement that puts the targets, whether it's
terrorism or otherwise, on notice that we're looking at them.
It's unprecedented, I've said that, unprecedented in our law.
Mr. Marino. What is the change that we can make? And Mr.
Littlehale, you go, and then collectively tell me what the
changes are that you would like to see.
Mr. Littlehale. Thank you, Congressman. If all we were
interested in is extending and leveling the playing field for
the 180-day rule and content, this bill would be a page long.
The notice provisions that you're talking about, along with the
additional protections that the bill provides, are one of the
great reasons that we're concerned about it. While I certainly
think that we would like to have a conversation, I think those
are a little bit more than issues around the edges.
I mean, the body of our concern about the bill is that when
we get a warrant, we want it to mean something. That's true on
the earlier point with respect to encryption. You know, if I
serve a search warrant on somebody, I want to have access to
that evidence. And in many instances now, I don't. Well, I want
to find that evidence in other places. And if it's denied to me
because of delays or because of burdensome notice provisions,
those slow me down. They make me less effective as an
investigator. And I believe that this Committee should
undertake a robust review of what this bill is going to do to
the----
Mr. Marino. My time has run out. Would the two of you
please put in writing and get it to me what you think could be
a remedy for this, and anyone else who wants to address that as
well.
Listen, I am just as much a Fourth Amendment advocate as I
am putting these people behind bars. And I wish I--no one
should have to look at the photos of the kids that I've looked
at and you've seen over the years and question as to why we
need to have some delay before letting that person know that
they're going to be arrested. I yield back. Thank you.
Mr. Collins. The gentleman's time has expired. The Chair
now recognizes the gentleman from New York, Mr. Jeffries.
Mr. Jeffries. I thank the distinguished Chair. And I thank
the witnesses for your presence here today.
I want to follow up on that discussion from my good friend
from the great State of--the Commonwealth of Pennsylvania. Mr.
Cook, I know you've expressed concerns as it relates to the
notice requirement. And I think in your testimony you refer to
the provisions as a red alert tool that could notify an
individual that he or she is under investigation. Is that
right?
Mr. Cook. That is correct.
Mr. Jeffries. And if you could just kind of walk me through
a series of responses as it relates to the particular concern
that you've got with the notice provision. Because it's my
understanding that section 4 permits up to 10 days of delayed
notice. Is that right?
Mr. Cook. That's correct.
Mr. Jeffries. And is it your view that the 10 days is
inadequate?
Mr. Cook. So I think it's important for me to point out
that in our discussions already, we have drawn parallels with
the Fourth Amendment as it applies in other contexts. And
everybody seems in agreement that that's the goal, is to make
the bill parallel Fourth Amendment protections.
But this bill does more than that. And here's why. For
example, if you have terrorists working out of an apartment, a
third-party's apartment, and there is evidence in that
apartment, we get a search warrant, search that apartment,
there's no obligation for us to tell the terrorists that we've
gotten evidence out of that apartment that can be used against
them.
Mr. Jeffries. Right. But this bill doesn't necessarily
impose that obligation. It's a default provision, but there are
steps that the government can take under exigent circumstances.
I wouldn't think that it would be sound public policy to create
a law that simply applies in the instance of the terrorist
context where this is a country of 300-plus million people that
values their privacy rights, so there has got to be an
appropriate balance between the legitimate ability of law
enforcement to help keep us safe and to prosecute wrongdoers to
the full extent of the law, and the civil rights and civil
liberties of American citizens. Is that correct?
Mr. Cook. As an email user, I could not agree more, but I
think that the Fourth Amendment has already reached that
balance because in the analogy that I've given you, when we
search that third-party's home or service provider, that
homeowner or service provider is within their rights to contact
whomever they want to notify them.
There has never been an obligation for the government to
figure out who the evidence is going to be used against and to
notify them. That's why I say this is unique in the law, and
I've never seen it before.
Mr. Jeffries. Now, as it relates to sort of the 10 days
delay, if the government concludes that additional delay is
warranted, this bill, correct, provides for a court to make
that determination that the notice can be delayed indefinitely.
Is that right?
Mr. Cook. Not indefinitely. There's a 180-day limitation,
and then there's a recurring obligation to reach back to the
court.
Mr. Jeffries. Right, but after that 180-day period expires,
the government can go back to the court and request another
180-day delay. Is that correct?
Mr. Cook. That is correct. There are narrow limitations on
it. For example, one of the limitations is that if we can show
that there would be harm to another individual, but there are
many times when the harm could be to a community rather than an
individual, and I wish I could report to you that all judges
are reasonable and will always, in the right circumstances,
limit that new constant--or this new statutory notice rule, but
the truth is that that just isn't how it works, and expanding
these obligations on the government will come with great risk
in serious cases.
Mr. Jeffries. But there are times that an Article III judge
can reasonably, or a magistrate that's not an Article III
judge, but an Article III judge or magistrate could reasonably
disagree with the government as it relates to privacy
protections and potential overreach. Is that correct?
Mr. Cook. Of course. Of course it is, and there are times
when that will--that this agreement will result in notification
to--under this newly created rule, to targets of criminal
investigations and alert them to allow them to flee or
otherwise destroy evidence or otherwise engage in bad behavior.
Mr. Jeffries. Mr. Calabrese, could you speak to the
adequacy of this notice requirement in your view?
Mr. Calabrese. I believe it's a very strong notice
requirement and constitutionally appropriate with a very strong
delay procedure. One of the things I'm struggling with a little
bit is, we're talking about a circumstance where I am going
before the judge and getting a search warrant. At that same
time, I may get a delay of that search warrant, so we're not
talking about some kind of separate process where I've got to
go through an additional burden.
When I get the warrant, I can also make the case that I
must delay notice. That can happen for 180 days. Before a
provider or anyone else, you know, notifies the subject, they
have to tell the government that they are going to do that,
giving the government an ability to go back to the court and
say, you know what, the reasons for our delay have not ended
and we need to expand it. I mean, I think it's a very
reasonable, very balanced approach that supports a fundamental
constitutional value, one of notice that's embedded in the
Fourth Amendment.
Mr. Jeffries. Thank you. I yield back.
Mr. Collins. The gentleman's time has expired. At this
time, the Chair recognizes the gentleman from Texas, Mr.
Ratcliffe.
Mr. Ratcliffe. Thank you, Mr. Chairman. As a former U.S.
attorney, I always appreciate and listen to concerns expressed
by law enforcement whenever Congress proposes changes to a law
that may impact your ability to do your job because you're the
folks that are working so hard to keep us safe, and I want to
certainly make sure you have the tools and resources and
capability necessary to do that effectively.
That being said, I also strongly believe that in an
increasingly connected, complex, digital society, our laws have
to be modernized to make sure they reflect the current
technological landscape. As our technology is evolving, this
extremely personal information is being stored on our
computers, on our smartphones, on our Fitbits, where we travel,
what we eat, what we read, where we shop, who we communicate
with, all highly personal information, and so we've got to make
sure we've got robust protections in place for that.
I certainly don't believe that the Fourth Amendment
protections that we all hold so dear and the needs of law
enforcement are mutually exclusive. And I appreciate all the
witnesses being here today to have a thoughtful discussion
about that.
Mr. Ceresney, I want to start with you because, from my
perspective, it seems like that the SEC has been the most vocal
civilian agency in expressing concerns about modifying ECPA,
but the SEC doesn't appear to have served a subpoena on a
commercial provider in 5 years since the Warshak decision. And
despite that, the SEC's annual report last year, 2014, touted a
record year, cutting edge enforcement actions, more cases than
ever before, a number of first ever cases that span the
securities industry.
And I know that Chairman White has testified that the SEC
isn't issuing subpoenas to third-party service providers for
content. So given the record number of cases, enforcement
actions, and first ever cases brought by the SEC, all done
without encroaching on Fourth Amendment rights of Americans,
why is the SEC asking Congress to give it the authority to get
content on something less than a warrant?
Mr. Ceresney. Well, we certainly have been successful, we
think, in enforcing the securities laws, but that does not mean
that there aren't cases that we would benefit tremendously from
emails that we would be able to obtain from ISPs. And I guess
the point that I would assert is that the Fourth Amendment is
not violated by what we are proposing, which would be an order
before a judge, which a judge could issue, with notice to the
subscriber after the subscriber has the opportunity to raise
whatever objections they have under a standard that Congress
would establish. And from our perspective, that does comply
with the Fourth Amendment, and it also balances privacy
protections because you would have an objective factfinder
reviewing the situation and determining whether it's
appropriate for us to obtain emails in that circumstance.
And I can tell you that there are ongoing investigations
now, which we have refrained from seeking those emails from
ISPs, which would definitely benefit from such emails.
Mr. Ratcliffe. When you say what you are proposing, I mean,
how have you been proposing it?
Mr. Ceresney. We've had ongoing discussions with Members of
Congress about these issues for the last couple of years.
Mr. Ratcliffe. Okay. Well, because, you know, from my
perspective, it seems like you've been altering your behavior
for the last few years in response to this opinion rather than
coming to a committee of jurisdiction, at least from my
perspective. I know that when FBI has a problem, they come and
let us know what it is and how we can fix it.
Mr. Ceresney. We've been having ongoing discussions with
the staff of both Judiciary Senate and House Judiciary
throughout this period, certainly since I've been at the SEC,
which is over----
Mr. Ratcliffe. That's fair enough. Thanks for that.
Mr. Salgado, in your testimony, paraphrasing here a little
bit, but essentially you seem to be saying that H.R. 699 is
really just a codification of the status quo under Warshak. Is
that right?
Mr. Salgado. That's accurate, yes.
Mr. Ratcliffe. Okay. You don't think that H.R. 699 goes
beyond the holding in Warshak?
Mr. Salgado. I don't think it does. I'm happy to hear
suggestions, but my review of Warshak and the bill suggests
that they're very consistent.
Mr. Ratcliffe. Mr. Calabrese, you agree with that?
Mr. Calabrese. I do.
Mr. Ratcliffe. Mr. Rosenzweig.
Mr. Rosenzweig. I think I do. I haven't done--I haven't
checked precisely, though.
Mr. Ratcliffe. Okay. I'm going to yield. My time is about
to expire, so I'm going to yield back the balance of my time.
Thank you all for being here.
Mr. Collins. The gentleman yields back. Now the Chair
recognizes himself for questions.
Mr. Salgado, there has been an issue, and we brought this
up here in this emergency issue of provisions, emergency
disclosure mechanisms, and Mr. Littlehale, actually, in his
written testimony, that the primary emergency disclosure
mechanism currently in law are voluntary. He also mentions that
companies are often--and this is his words--unable or unwilling
to respond to law enforcement's lawful demands in a timely
manner.
Now, I think we all would agree true emergencies are there,
and as a son of a Georgia State trooper, there's not going to
be anybody that would deny the need from a law enforcement
perspective. However, it seems to be implying that there's
something missing here. So we did a little bit of research in
our office and with others, and based on the concerns we saw,
that publishing Google's transparency report, based on that
report, which we have looked at, it says Google received 171
emergency disclosure requests and provided at least some data
in response to 80 percent of emergency disclosure requests.
One, I think, for most people to understand it, we've
looked into it, but I'd like to hear your answer. To better
understand that, can you explain why Google responded to only
80 percent of these requests, break down those numbers for us,
and why couldn't the response rate be 100 percent, given what
has been heard from Mr. Littlehale here.
Mr. Salgado. Sure. I'd be happy to. I think the statistic
you're referring to is in our transparency report.
Mr. Collins. Yes.
Mr. Salgado. We've been publishing that number for a while
here so that policymakers and others can get an idea of what
this work is like. The number is actually relatively low, 171
compared to the type of legal process we get.
The 80 percent represents lots of different situations
where the emergency doesn't justify the disclosure. Often, the
case is that the identifier that's given to us in the emergency
request doesn't actually go back to any real account. So there
are some services out there where you can create an account
using a Google or any email address, and it's not verified that
there is such an address. They may use that account to threaten
a school shooting or engage in other some violent activity.
The authorities quite legitimately will come to Google and
ask us for information about this account that was used to
create the account that made the threat. We look in our system,
and there is no such account, so the response back is we have
no data to produce in response to this otherwise legitimate
emergency request. That gets counted as a nondisclosure, and
that adds into the 20 percent where there was not a disclosure.
There was no responsive data.
That's probably the most common situation in that 20
percent. There may be other situations where the request is
coming in and the emergency is over, that the investigation is
now actually about a historical crime, there is no ongoing
threat of loss of life or serious physical injury, which means
it's inappropriate to be using that authority to get the
information.
And we are able to, at that point, say this doesn't look
like an ongoing emergency, we can preserve the information, and
when you come back to us with the legal process, we can
promptly disclose.
Mr. Collins. Okay. And just real quickly, but you went on
with your answer long enough to bring up a question. Are you
making that determination if the emergency situation is still
ongoing?
Mr. Salgado. That's right. The statute----
Mr. Collins. Not the law enforcement agency offering?
Mr. Salgado. The statute says that we are allowed to
disclose if we have a good faith belief that there's an
emergency.
Mr. Collins. Okay. Mr. Littlehale, when you testified
before House Judiciary Committee in 2013 about the emergency
disclosure issue, you said that some providers make a decision
never to provide records in the absence of legal process, no
matter the circumstance.
Can you identify the service providers that have a policy
of categorically rejecting emergency requests in the absence of
compulsory legal process? If not, why?
Mr. Littlehale. Congressman, as I stated in response to the
question at the time, I have made the decision not to identify,
in the examples that I give, specific providers because I don't
want to highlight a vulnerability in a public forum. There may
come a time when we do have to disclose that.
Mr. Collins. Well, I tell you what. I would like to request
you can submit that in a nonpublic forum, but I'm really
concerned here that we're making a categorical statement
without categorical proof.
Mr. Littlehale. Well, I can certainly say anecdotally that
the agents----
Mr. Collins. No, I want to know--you made a direct
statement.
Mr. Littlehale [continuing]. That I work with have been
told that by providers.
Mr. Collins. Mr. Littlehale, you made a direct statement.
It wasn't anecdotally. I didn't start off by saying,
``Anecdotally, providers make a decision never.'' You said in
your testimony, providers make a decision never to provide
records in the absence of legal process, no matter the
circumstance, and that's a very direct statement against the
business practices of Internet providers.
Is it true? Is it not true? Do you have evidence? Or do you
not have evidence?
Mr. Littlehale. I have been told that by providers, yes.
Mr. Collins. But you don't have evidence. You made a
statement that is not grounded, except anything and
anecdotally.
Mr. Littlehale. Well, I'd say I would suggest that I do
have evidence. I have been told that by providers.
Mr. Collins. Well, I was told that there was a Santa Claus,
but I found out real quickly there wasn't. I mean, I'm trying
to figure out----
Mr. Littlehale. Congressman, I would suggest that that's
evidence. If you choose not to believe me, then I suppose I
can't help you with that, but I have been told and agents that
work for me have been told that in some cases.
Mr. Collins. I'll just let that one sit.
Mr. Ceresney, during an exchange with Senator Leahy in a
Senate hearing on this topic, you said that with regard to
phone calls, you're not seeking authority, the criminal--
authority that criminal authorities have that civil agencies do
not, but in seeking to get access to emails without a warrant,
you're essentially seeking something more than the authority,
the criminal authorities have. Isn't that contradictory?
Mr. Ceresney. I don't think we're seeking more authority
than the criminal authorities have.
Mr. Collins. So what are you seeking?
Mr. Ceresney. I'm sorry?
Mr. Collins. Then what are you seeking? I'll give you a
chance to clarify that.
Mr. Ceresney. Sure. What we're seeking is the ability to
obtain emails after we try to obtain them from an individual
subscriber by going to a court and obtaining a court order with
notice to the subscriber and allowing the subscriber to raise
whatever objections they have before the court.
Mr. Collins. Well, I think it's--and like I said, it's
interesting that some of the testimony that's been given here,
and I think, you know, it's very concerning from some issues of
anecdotal evidence and real evidence and discussion, especially
on the SEC side, when you're, you know, giving the--you know,
your own report saying you're doing more than you've ever done
here, yet without this, by choice or decision, however you're
wanting to do it.
Mr. Calabrese, one last question for you, as my time is now
over. But in dissent from the FTC request of civil agency carve
out, FTC Commissioner Brill wrote, ``I am not convinced that
this authority is necessary to maintain the commission's
effectiveness as a law enforcement agency now or in cases that
we can presently foresee. On the other hand, I am concerned
that the judicial mechanism for civil law enforcement agencies
to obtain content from ECPA providers could entrench authority
that have potential to lead invasions of individual privacy,
and under some circumstances, may be unconstitutional in
practice.''
Could you speak very briefly. Do you agree or disagree with
his concern?
Mr. Calabrese. I do worry that we will create an
unconstitutional or incredibly reckless carve out for civil
agencies. And my hope is that we continue to push H.R. 699
forward as is to a markup and we can vote and get it to the
floor. Thank you.
Mr. Collins. Well, I appreciate it. In looking around and
seeing how it's just me and the distinguished Ranking Member,
this concludes today's hearing. I'd like to thank all the
witnesses for attending. Without objection, all Members have 5
legislative days to submit additional written questions for the
witnesses or additional materials for the record.
And with that, this hearing is adjourned.
[Whereupon, at 12:28 p.m., the Committee was adjourned.]
A P P E N D I X
----------
Material Submitted for the Hearing Record
Prepared Statement of the Honorable Doug Collins, a Representative in
Congress from the State of Georgia, and Member, Committee on the
Judiciary
Mr. Chairman, thank you for holding today's hearing on H.R. 699,
the Email Privacy Act. I appreciate the chance to discuss this
important legislation and hear from the witnesses. I hope that today's
hearing is just the first step towards Committee mark-up and
consideration of H.R. 699.
H.R. 699 was introduced by my friend from Kansas, Rep. Kevin Yoder.
I am a cosponsor and strong supporter of the Email Privacy Act. If
enacted, the bill would update the Electronic Communications Privacy
Act to better reflect advances in technology and to ensure that
Americans' electronic communications are protected from unwarranted
government intrusion.
As of today this legislation has 305 cosponsors, earning it the
distinction of being the most supported piece of legislation in the
House that has not yet received consideration on the House Floor.
Twenty-eight of these cosponsors serve on the House Judiciary
Committee. The majority of each party has cosponsored the legislation.
It is not often that you see this type of overwhelming bipartisan
support for legislation, but the numbers speak for themselves that this
issue is one that deserves and demands consideration.
I understand that certain Members may have concerns with specific
provisions of the legislation. While I support the legislation in its
current form, I think the best way to address these concerns is through
a markup of the legislation, where amendments can be discussed and
democratically considered. No one is served by this legislation
languishing in legislative limbo.
Law enforcement needs clarity. Internet service providers need laws
that accurately reflect their technological advances. And most
importantly, the American people need and deserve privacy protections
guaranteed to them by the Fourth Amendment of the United States
Constitution.
It is past time that our digital privacy laws were updated to
reflect today's technology and communications climate. The Electronic
Communications Privacy Act (ECPA) was written in 1986, and intended to
balance the interests of preserving citizens' privacy rights while
protecting legitimate law enforcement needs. While the principles
behind the law are still critically important and it remains a hallmark
of privacy protections for communications, in practice many parts of
the law simply have not kept up with the world as it is today. ECPA--
and in particular the Stored Communications Act (SCA) provision of the
law--must be amended to reflect the realities of the digital era in
which we live.
The Email Privacy Act takes critical steps to update ECPA so that
Americans' Fourth Amendment rights are better protected and so that
citizens' can communicate on the internet free from unwarranted
government snooping.
The bill eliminates the outdated ``180 day'' standard from current
law. Current law under ECPA does not require law enforcement to obtain
a warrant to access the content of emails or other forms of online
communication--such as documents stored on a cloud service--if they are
more than 180 days old. For messages over 180 days old, only a
subpoena--rather than a warrant--is required for access. While this
distinction may have made sense when storage space on personal
computers was extremely limited and emails were still a fledging and
rarely used form of communication, it certainly does make sense today.
Americans deserve the same strong Fourth Amendment protections whether
their emails are a day old or several months old. The Email Privacy Act
addresses this issue by instituting a requirement that law enforcement
obtains a search warrant before accessing the content of Americans'
private emails and online communications.
H.R. 699 would essentially codify a decision issued by the Sixth
Circuit Court of Appeals in 2010 in United States v. Warshak while
clarifying additional privacy protections. In Warshak the Court held
that the government's accessing of 27,000 emails directly from a
suspect's internet service provider (ISP) with a subpoena and an ex
parte order was unlawful under the Fourth Amendment. Specifically, the
Sixth Circuit said that subscribers have ``a reasonable expectation of
privacy in the contents of emails `that are stored with, or sent or
received through, a commercial ISP''' and ``to the extent that the SCA
purports to permit the government to obtain such emails warrantlessly,
the SCA is unconstitutional.'' \1\
---------------------------------------------------------------------------
\1\ United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).
---------------------------------------------------------------------------
In light of Warshak and the Email Privacy Act, the Securities and
Exchange Commission (SEC) and other civil agencies have sought
exemptions from the warrant requirement, arguing instead that it should
be allowed to retain subpoena powers. The SEC maintains that subpoena
authority is critical for their investigations, but that statement has
been called in question by SEC Chair Mary Jo White's admission that the
SEC has not used subpoena authority post-Warshak.
The Federal Trade Commission (FTC) has made similar claims that it
should be subject to a warrant exemption when seeking content from
ISPs. However, Commissioner Brill went so far as to file a dissent to
the FTC's request for a carve out. Commissioner Brill stated, ``I am
not convinced that this authority is necessary to maintain the
Commission's effectiveness as a law enforcement agency now or in cases
that we can presently foresee. On the other hand, I am concerned that a
judicial mechanism for civil law enforcement agencies to obtain content
from ECPA providers could entrench authority that have the potential to
lead to invasions of individuals' privacy and, under some
circumstances, maybe unconstitutional in practice.''
I share Commissioner Brill's concerns. Absent much more compelling
evidence from civil investigative agencies, I do not believe that these
agencies should be allowed to pry into Americans' personal lives based
solely on subpoena authority. This kind of change could fundamentally
harm the important steps taken in H.R. 699 to better protect Americans'
rights to have their online communications protected.
Let me make clear that I believe it is critical law enforcement has
the tools they need to prevent and fight crime. My father was a Georgia
State Trooper, so I was instilled with respect and admiration for our
men and women in uniform from a young age. I believe that in true
emergencies, law enforcement needs to be able to access information
quickly. I believe there are potentially legitimate reasons that law
enforcement would seek the content of an individual's online
communication. However, I do not believe that we should create so many
carve-outs and exceptions to the law that the purpose of the
legislation is lost. We must carefully balance the needs of law
enforcement with the rights of Americans.
The Email Privacy Act updates ECPA to restore that balance and
bring our privacy laws into today's world. I look forward to hearing
from our witnesses, and I hope that today is a step closer towards
passage of H.R. 699.
Thank you Mr. Chairman, I yield back.
Prepared Statement of the Honorable Sheila Jackson Lee, a
Representative in Congress from the State of Texas, and Member,
Committee on the Judiciary
Thank you, Mr. Chairman. Let me extend my thanks to you and Ranking
Member Conyers for working together in a spirit of bipartisanship to
convene this important hearing on H.R. 699, the ``Email Privacy Act.''
The Fourth Amendment to the United States Constitution states:
``The right of the people to be secure in their
persons, houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated, and no warrants
shall issue, but upon probable cause, supported by oath or
affirmation, and particularly describing the place to be
searched, and the persons or things to be seized.''
The Fourth Amendment originally enforced the notion that ``each
man's home is his castle'', secure from unreasonable searches and
seizures of property by the government.
The authors of the Constitution had good cause to work to establish
protections against government overreach, which they themselves
experienced.
In our history we can understand the seriousness with which the
Founding Fathers viewed government authority to search private
citizens' correspondence or communications.
The British authorities used writs of assistance, a form of general
warrant, which permitted house-to-house searches.
These orders generally failed to allege any illegal activity and
were not approved by a judge.
John Adams credited these practices as being ``the spark in which
originated the American Revolution.''
As a direct result the founders of this nation drafted the Fourth
Amendment to the Constitution of the United States.
However, beginning with the 1967, Supreme Court decision in Katz v.
United States (establishing the ``reasonable expectation of privacy''
test) held that what a person knowingly exposes to the public, even in
a home or office, is not subject to Fourth Amendment protection.
This holding began the move to establish what has become known as
the Third Party Doctrine--such that the Fourth Amendment does not
prohibit the obtaining of information revealed to a third party and
conveyed to him by Government authorities, even if the information is
revealed on the assumption that it will be used only for a limited
purpose and the confidence placed in the third part will not be
betrayed.
The Third Party Doctrine was expanded in two key Supreme Court
decisions in mid- to late 1970s: U.S. v. Miller, 425 U.S. 435 (1976)
(holding that one does not have a constitutionally protected privacy
interest in personal records held by a bank), and Smith v. Maryland,
442 U.S. 735 (1979) (holding that the installation and use of the pen
register was not a ``search'' and thus no warrant was required).
These integral cases came before the Internet and long before the
use of Cloud based computing services, but their impact are still felt
today.
The Modern Communication Age
In possibly the first survey of its kind, in 1983, the polling firm
Louis Harris & Associates asked U.S. adults if they had a personal
computer at home and, if so, if they used it to transmit information
over telephone lines.
Just 10% of adults surveyed said they had a home computer and, of
those, 14% said they used a modem to send and receive information.
The resulting estimate was that 1.4% of U.S. adults used the
internet in 1983.
In 2014, the Pew Center for American life found that eight in ten
U.S. adults (81%) say they use laptop and desktop computers.
Further, 90% of adults in the United States own a smartphone,
providing them with instant access to email services.
While the 1986 enactment of the Electronic Communications Privacy
Act (ECPA) (which sought to govern how law enforcement agencies and
private parties may access electronic communications, was meant to be
forward looking as technologies began to rapidly advance), and various
lower court decisions such as the 2010 Sixth Circuit case U.S. v.
Warshak, 631 F.3d 266 (6th Cir. 2010), (which held that subscribers
have a reasonable expectation of privacy in the content of electronic
communications and that the government must obtain a warrant to access
email stored by a third party), have attempted to clarify and govern
electronic storage on third party servers, constitutional and
legislative privacy safeguards for electronic communications and other
forms of developing digital media are wholly inadequate for modern
times.
The advent of Cloud Commuting services has only further broadened
the question of third parties and communications due to the storage of
not only emails, but digital photos, video, audio, electronic books,
music preferences, political views, religious beliefs or the lack
thereof.
Smart devices in use by tens of millions of Americans allow for the
collection, and retention of much more information--and that retention
is outside of the control of the email user.
The use of email as a primary means of communication is not limited
to individuals, but obviously extends to businesses.
The number of worldwide email accounts continues to grow from over
4.1 billion accounts in 2014 to over 5.2 billion accounts by the end of
2018.
The total number of worldwide email users, including both business
and consumer users, is also increasing from over 2.5 billion in 2014 to
over 2.8 billion in 2018.
Email remains the most pervasive form of communication in the
business world, while other technologies such as social networking,
instant messaging (IM), mobile IM, and others are also taking hold,
email remains the most ubiquitous form of business communication.
H.R. 699 a Step in the Right Direction
H.R. 699, The Email Privacy Act will amend the 29-year-old
Electronic Communications Privacy Act to prevent the government from
accessing private electronic communications without a warrant.
Specifically, the Email Privacy Act will prohibit a provider of
remote computing service or electronic communication service (including
email communications) to the public from knowingly divulging to a
governmental entity the contents of any communication that is in
electronic storage or otherwise maintained by the provider, subject to
exceptions.
H.R. 699 will revise provisions under which the government may
require a provider to disclose the contents of such communications.
The bill further clarifies the Electronic Communication Privacy Act
of 1986 by eliminating the different requirements applicable under
current law such how communications would be treated if they are:
o stored for fewer than, or more than, 180 days by an electronic
communication service; or
o held by an electronic communication service as opposed to a
remote computing service.
Importantly, this bill requires the government to obtain a warrant
from a court before requiring providers to disclose the content of such
communications regardless of how long the communication has been held
in electronic storage by an electronic communication service, or
whether the information is sought from an electronic communication
service or a remote computing service.
FBI Director Comey, has testified that the current practice of the
FBI is to obtain a warrant for e-mail communications, and that this
bill would not change their current practices.
Moreover, this bill would not change any of the existing exceptions
in the Electronic Communication Privacy Act that allow emergency
requests for assistance to be processed in a timely manner.
The bill does require a law enforcement agency, within 10 days
after receiving the contents of a customer's communication, or a
governmental entity, within 3 days, to provide a customer whose
communications were disclosed by the provider a copy of the warrant and
a notice that such information was requested by, and supplied to, the
government entity.
It further allows the government to request delays of such
notifications.
H.R. 699 is an important measure that directs the Comptroller
General to report to Congress regarding disclosures of customer
communications and records under provisions: (1) as in effect before
the enactment of this Act, and (2) as amended by this Act.
The Constitution of the United States is alive and well in the 21st
Century, and this bill through overwhelming bipartisan support is
making strides to make sure that citizens are secure in their digital
records and effects.
Again, thank you for holding this important hearing and I look
forward to the testimony of our distinguished panel of witnesses.
Thank you. I yield back the remainder of my time.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]